xz is a compression utility – similar in concept to making .zip files. Its main use is lossless compression for command line utilities, which is to say that it guarantees when it is uncompressed the result is a byte-for-byte clone of the original data. It’s used by a lot of important security software, and is included as a library for many other utilities. A library is just a term used for tools used by other tools.
On 2/23 a trusted developer on the project committed (added) some code that was obfuscated (not clear in what it does), and since that developer was trusted that code made its way into a release of xz that people could install. It’s unclear whether that person did it intentionally or had their system compromised or some other explanation, but it doesn’t look good.
The back door part comes into play with one of the main ways xz is used – SSH. SSH is an encrypted protocol between two machines where text commands can be exchanged, allowing a user to interact with a server. It’s a very common utility in the Linux world and the security of this communication is critical. The back door means that the connection is no longer private and could allow an attacker to insert their own text commands into the secure connection.
ELI5 version – you are having a private text exchange with a friend, but someone slipped in to the convo and is reading your texts, and even sending new ones to your friend telling them lies and to do things they shouldn’t – all as if it was coming directly from you.
People may have installed a compromised version during the month this was in the wild. However many of the safer versions of Linux (the kinds that run on servers) take 6+ months to include new updates like this, so it’s only people who are running the very latest of everything that would have been affected. That doesn’t mean someone who installed it was actually compromised- just that they were at risk during the time.
You can read more here: https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
Latest Answers