Best Of 2024: An Accidental Discovery Of A Backdoor Likely Prevented Thousands Of Infections
Security Boulevard, Tuesday, December 24th, 2024
Yesterday's discovery of the xz backdoor was an accident. But what a fortunate accident it was. The actor (or actors, we don't yet know) had been diligent in their efforts for a long time, and only very recently started putting all the pieces together in what ended up being discovered yesterday.
The backdoor is incorrectly being called an 'ssh backdoor'; this is a bit misleading. OpenSSH does not use xz itself, but Linux distribution maintainers linked xz into sshd when building it (ostensibly for easier integration with systemd). As a matter of fact, xz is linked into so many packages that it may never be possible to fully ascertain the scope of what the backdoor might have done.