Backdoor Discovered in Widely-Used Linux Compression Software, Highlighting Open Source Security Concerns
-
A backdoor was discovered in the widely used xz compression software that could have enabled remote code execution on Linux systems. It was found by chance by a Microsoft engineer.
-
The backdoor was intricately hidden across multiple commits over 2 years by an attacker posing as a contributor named "Jia Tan".
-
The backdoor worked by compromising the SSH daemon during startup on systems that used the vulnerable xz software.
-
It narrowly missed becoming widely distributed, only making it into a few bleeding edge Linux distros like Fedora and Debian.
-
Security experts worry this shows how fragile open source security is when projects rely on unpaid and overburdened maintainers. More undiscovered threats may lurk.