XZ Backdoor: Not the End of Open Source

submited by
Style Pass
2024-04-04 13:00:10

When I stumbled across a post that an encryption library offers a potential backdoor to SSH connectivity on Good Friday, my first thought was: why is it always on a Friday that these things drop? And then my second one: oh bugger, here goes my weekend. Now, I won’t go into the technical details, there are many, many, many, many better resources out there, but I can’t help thinking that this would/should force the software industry to think.

A scenario akin to the Baltimore bridge disaster was averted by the heroics of Andres Freund a Microsoft engineer who was surprised to see the SSH performance go down and decided to investigate. We all owe this man a beer, otherwise this could have been so, so much worse:

If this hadn’t been caught, potentially quite a few linux distributions would have had a backdoor. And considering that patching is important, this would have made it quite a few distributions across the globe, giving the attacker almost unprecedented access.

Thankfully, indications are that even though I had the backdoored lib on my machine, it wouldn’t have been exploited. People using homebrew and Kali (oh the irony) were exposed to the vulnerable lib too, as this is a Remote Code Execution that needs to be combined with several triggers, I’m banking on it not having rooted me.

Leave a Comment