An off-the-clock Microsoft developer got suspicious while doing some micro-benchmarking.
www.theverge.com
Goes to show that one person can make a difference. I am planning on switching to Linux late this year or early next year, as Micro$oft is going to discontinue
Windows 10 in 2025 (direct link to Microsoft website).
Here a summary of the article, for reader convenience:
The article by Amrita Khalid, published on April 2, 2024, reports on a narrowly avoided massive cyber attack on Linux, the most widely used open-source operating system. The attack was possible due to a backdoor that was inserted into a recent release of the Linux compression format called XZ Utils, which is used in nearly every Linux distribution. The backdoor went unnoticed for some time, and if it had spread more widely, an untold number of systems could have been compromised for years.
The vulnerability was discovered by San Francisco-based Microsoft developer Andres Freund, who noticed unusual CPU usage in encrypted log-ins to liblzma, part of the XZ compression library. After some investigation, he discovered that versions 5.6.0 and 5.6.1 of the XZ tools and libraries had been backdoored. The malicious code was designed to hide from public computer scans by only exposing itself to a single key, potentially leaving the majority of the world's computers vulnerable.
Red Hat, an enterprise open-source software company, issued an emergency security alert for users of Fedora Rawhide and Fedora Linux 40. Debian's security team also acted swiftly to revert affected packages, but no stable versions were found to be impacted.
The perpetrator was identified as one of the two main XZ Utils developers, JiaT75, or Jia Tan. JiaT75 had been sending legitimate patches to the XZ mailing list since October 2021 and later created fake identities, "Jigar Kumar" and "Dennis Ens," to pressure the developer of XZ Utils into relinquishing control of the project. The emails from these fake identities continued until Jia Tan was added as a maintainer later that year, enabling them to make alterations and attempt to get the backdoored package into Linux distributions with more authority.
The xz backdoor incident highlighted both the beauty of open-source software and its vulnerability. A developer behind FFmpeg, a popular open-source media package, emphasized the issue by stating that the dependence on unpaid volunteers can cause major problems and that investments in maintenance and sustainability are crucial but often overlooked. Microsoft, despite its dependency on its software, only offered a one-time payment for long-term maintenance instead of a support contract.
The details of who is behind "JiaT75," how they executed their plan, and the extent of the damage are still being investigated by an army of developers and cybersecurity professionals. The article underscores the importance of financial support from companies and organizations that benefit from secure software to ensure its sustainability and maintenance.
