Katherine Mcmillan <kmcmi046@uottawa.ca> writes:
> I have seen the following comment, or similar, in several
> articles now:
> "On Friday, a lone Microsoft developer rocked the world when he
> revealed a
> backdoor<https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/>
> had been intentionally planted in xz Utils, an open source data
> compression utility available on almost all installations of
> Linux and
> other Unix-like operating systems."
> https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
>
> There are a couple of problems with this statement, but I just
> want to
> focus in on the "almost all installations of Linux and other
> Unix-like
> operating systems" part. From my understanding, it is certainly
> almost all installations of Linux, but the "and other Unix-like
> operating systems" doesn't seem founded. From what I
> understand, this
> backdoor would not affect any flavour of *BSD, or of illumos for
> that
> matter (ex. smartOS), or QNX, or Solaris. Just for clarity,
> does
> anyone know what "Unix-like operating systems" would be affected
> by
> this?
The quoted passage states the platforms on which xz-utils is
available; it doesn't explicitly say that all of those platforms
are affected by this specific backdoor (though i acknowledge the
passage can be read in a way that implies that). Indeed, not even
all Linux platforms are affected: the backdoor specifically
targets RPM- and DEB-based systems. In addition to the detailed
writeup in Christian's message, there's also one by Russ Cox:
https://research.swtch.com/xz-script
(Who has also put together a timeline:
https://research.swtch.com/xz-timeline)
However, even though _this _particular backdoor_ only affects (a
subset of) Linux platforms, there's the broader concern that the
_project_ was 'socially' backdoored - a project involving a piece
of software that's available for a wide variety of platforms, and
relatively deep in a number of stacks. (Although, on the technical
side, the versions of xz-utils since the malfeasant got involved,
but prior to the confirmed-backdoored versions, are being looked
at carefully.)
Alexis.
No comments:
Post a Comment