Linux xz Backdoor Damage Could Be Greater Than Feared
When your home has been broken into, you may not initially comprehend all that has been taken, or the damage that has been done. This is the state of apprehension the Linux community now feels with the recently-unearthed xz backdoor security vulnerability.
“This upstream supply chain security attack is the kind of nightmare scenario that has gotten people describing it called hysterical for years,” Kubernetes Security Chairperson Ian Coldwater had written on X. “It’s real.”
A Microsoft engineer first detected the back door, which he traced back to a recent update to the xz compression library. The library update was a recent one, but it already found homes in the rolling and advanced “rapid” releases of some Linux distributions. The back door takes a certain combination of conditions and dependencies to trigger. Once triggered however, an attacker could enter your system without any authentication at all.