How one volunteer stopped a backdoor from exposing Linux systems worldwide
https://www.theverge.com/2024/4/2/24119342/xz-utils-linux-backdoor-attempt

This is not getting a lot of notice that I've seen, but this long-term attack hack is causing problems outside of Linux. It is causing havoc on Windows machines as well with liblzma.

I tried to update my Boost install using vcpkg, and since it uses liblzma for the process it failed big time. *Ouch!*

Definitely everyone should look up a few articles and videos about the XZ attack, it's scary that it probably would have been successful had it not been for high CPU usage due to inefficient code in the exploit.

I thought the attack only targeted some of the enterprise-type server linux distros (debian, red hat), so I don't think Windows was affected?

"secret backdoor found in open source software (xz situation breakdown)"
https://www.youtube.com/watch?v=jqjtNDtbDNI

"xz Exploit Is WILD - Must See Bash Part"
https://www.youtube.com/watch?v=LaRKIwpGPTU

"The XZ Backdoor Almost Compromised Every Linux System"
https://www.youtube.com/watch?v=044GiRqGebc

(pardon the two sensational titles)

The core of Windows itself wasn't targeted AFAIK, but any software that uses liblzma is at risk. And as I pointed out that does effect vcpkg's installation/upgrade of at least Boost. Try to install liblzma by itself? Nope, nada, nuh-uh, fuggeboutit.

Yeah, the hack had gone unnoticed for, what, 2 years until an off duty MS worker noticed the abnormally high CPU usage.

One guy stopped this from expanding outward. That is really scary.

All the "Linux is so much better than Windows" 'experts' caught completely flat-footed.

In one respect I'm kinda glad this news isn't being reported wider, the usual talking heads have nary a clue and would get all wee-weed up to try to scare people the computing world is coming to an end. With politicians vowing to "do something, anything" to combat security holes, etc.

Well, the exploit itself is not 2 years old. It didn't make it into any production linux distros. The malicious backdoor was committed in March 2024. The man that found it was using a development/unstable release.
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

The attacker started gaining trust from the community two years ago. Then they started bullying the maintainer with sockpuppet accounts to push the malicious release along faster.
https://news.ycombinator.com/item?id=39902241

idk about vcpkg behavior. Probably better safe than sorry as they investigate any other potential commits by the attacker or aliases?

> All the "Linux is so much better than Windows" 'experts' caught completely flat-footed.
The difference is that in Windows the backdoors are features, not bugs :)

Kidding aside, there are probably state actors in both open-source and closed-source projects that are paid to sneakily put exploits/backdoors into code.
"Jonathan Blow on the Problem with Open Source"
https://www.youtube.com/watch?v=WGekWFxeD6c

I thought the attack only targeted some of the enterprise-type server linux distros (debian, red hat

I reckon that openssh does not always depend on xz, but on some distros openssh uses systemd (or something) and systemd uses on xz. Hence the attack vector.


RHEL (Red Hat Enterprise Linux) does not have cutting edge components. Rather, it has its own forks that receive backports*. (While RH curates those backports, they could accidentally backport a vulnerability into RHEL.) Not in this case; the xz even in latest RHEL (9) is too old to be affected. On RH side it was the Fedora rawhide, development version of next Fedora release, that got the malicious version of xz. Overall, the Fedora is the bleeding edge distro for RH (each release lives max 13 months), not "Enterprise Linux". RH occasionally cherry-picks something from Fedora into RHEL.


*Almost extreme example are kernel and Python in RHEL 7. The RHEL 7 has EOL at next Midsummer. The kernel is a fork from upstream 3.11. That was released in 2013? The Python is fork of upstream 2.7. Both upstreams have been totally dead for years, but the RHEL 7 versions do have RH support until RHEL 7 EOL.