Backdoor in XZ Utils That Almost Happened

2024-04-11 11:01

You've likely never heard of an open-source library called XZ Utils, but it's on hundreds of millions of computers.

Many open-source libraries, like XZ Utils, are maintained by volunteers.

Tan spent the year slowly incorporating a backdoor into XZ Utils: disabling systems that might discover his actions, laying the groundwork, and finally adding the complete backdoor earlier this year.

On March 25, Hans Jansen-another fake name-tried to push the various Unix systems to upgrade to the new version of XZ Utils.

On March 29, another unpaid volunteer, Andres Freund-a real person who works for Microsoft but who was doing this in his spare time-noticed something weird about how much processing the new version of XZ Utils was doing.

Banning open source won't work; it's precisely because XZ Utils is open source that an engineer discovered the problem in time.

News URL

https://www.schneier.com/blog/archives/2024/04/backdoor-in-xz-utils-that-almost-happened.html

#backdoor #XZ