On Thu, Apr 04, 2024 at 09:17:18PM +0000, Katherine Mcmillan wrote:
> I have seen the following comment, or similar, in several articles now:
> "On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor<https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/> had been intentionally planted in xz Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems." https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
>
> There are a couple of problems with this statement, but I just want to focus in on the "almost all installations of Linux and other Unix-like operating systems" part. From my understanding, it is certainly almost all installations of Linux, but the "and other Unix-like operating systems" doesn't seem founded. From what I understand, this backdoor would not affect any flavour of *BSD, or of illumos for that matter (ex. smartOS), or QNX, or Solaris. Just for clarity, does anyone know what "Unix-like operating systems" would be affected by this?
I think this might be an issue of how you're parsing the statement. It
sounds like you're reading this as the exploit being available on those
systems. However, when I read the line, I interpret as "xz Utils ...
[is] available on almost all installations of Linux and other Unix-like
operating systems," which is true. That does not necessarily suggest
that they're all affected by the vulnerability.
Eric
No comments:
Post a Comment