Ángel Jiménez from Luis USA
USA
Updated Sunday, March 31, 2024-9:07 p.m.
A popular
compression application
used in
Linux operating systems
has been on the verge of causing one of the biggest computer security problems in recent history and has put the entire free software development community on alert.
The latest version of the xz Util
application
, which is integrated into many of the most popular Linux distributions, such as Fedora, Debian, Arch or Ubuntu, included in its source code several routines intended to weaken the encryption of SSH connections, a protocol for Secure connection to remote machines. It was a deliberate attack, planned for quite some time and it almost worked. Some of the latest beta versions of these Linux distributions already included version 5.6.1 of xz Util, which is the one that comes with this malicious code inside.
A
Microsoft
engineer was the first to detect that something was wrong with the latest version of the application. File compression and decompression took a few milliseconds longer than in previous versions. Upon investigating the cause, he discovered that version 5.6.1 of the app included a backdoor running in the background.
Being a free software application, the contribution of each contributor is usually well documented. This has made it possible to trace the origin of the injected code to a contributor,
Jia Tan
, who had worked on the project for years. Several of the communities and companies responsible for the different Linux distributions have also acknowledged that Tan, in recent weeks, had tried to contact them to accelerate the implementation of the latest version of the application, which includes the backdoor.
The discovery has shaken the foundations of the free software community, which usually works selflessly on many applications that are essential in more complex programs or in various operating systems.
A recurring meme online is a cartoon by graphic comedian selflessly for years".
The vignette is a reminder of how fragile all modern computer systems can be and how much they owe to completely voluntary projects. Rarely is it as clear as in this case. The original developer of xz Util,
Lasse Collin
, had begun to hand over part of the control of the application's development in recent years to other collaborators on the project, including Jia Tan, because he no longer had time to continue working on new features.
Online, several developers have speculated this weekend about Tan's motives for injecting this backdoor. The programmer has worked on this project for three years without raising a single suspicion and gaining Collin's trust. Now not only are all of his contributions to xz Util and other free software tools quarantined, there is also an atmosphere of distrust that has begun to spread through the community. "Now would be a good time to review the code of all projects that have been in a similar situation of having to be handed over by the original sole proprietor to a new volunteer," writes one developer.
Other comments suggest, however, that the attack could serve to awaken interest on the part of users and companies in free software and improve the conditions of collaborators in different projects. "I hope this leads to some real support (monetary and development) for Lasse from some of the companies that make billions from his work without giving him anything in return," wrote one Reddit user.
Although the main victims in these cases would have been the Linux distributions already mentioned, Windows has also included a Linux subsystem in recent years that allows you to run applications developed for this environment, such as xz Util and macOS, built on Unix, can also end up exposed to these attacks. Hombrew, a software package manager for macOS, actually uses xz Util as its primary decompression tool.