Sources
Loading...
Additional media
Loading...
DeepNewz, mobile.
People-sourced. AI-powered. Unbiased News.
A backdoor vulnerability in the liblzma compression library, specifically in the .xz format, has raised serious concerns in the software supply chain. The developer Jia Tan is implicated in adding the backdoor, leading to questions about the extent of cybersecurity issues in open-source projects. The attack involved manipulating the project for two years and pressuring the previous maintainer to relinquish control. The vulnerability was initially detected by a Microsoft engineer who noticed suspicious behavior. The incident highlights the need for enhanced cybersecurity measures, including defense-in-depth design and rigorous code reviews.
“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added).... with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise": https://t.co/P39m5Pv3ge #ethics #cybersec
With the #xz #backdoor any thinking person should be asking themselves, if they could get away with this and just narrowly got caught what else has been compromised to this level but has gone unnoticed?
Some interesting thoughts on the xz compression backdoor in liblzma (and the insertion of what appears to be the attacker’s own RSA key in OpenSSH Server on systems that use xz 5.6.x) here: https://t.co/YYRHzOXZcC