Microsoft Engineer Foils Major Linux Backdoor Plot

Key Takeaways

  • A hidden Linux backdoor in xz Utils was inadvertently found by a Microsoft developer, averting a massive security threat.
  • The discovery prevented the embedding of malicious code in major Linux operating systems, with potential widespread implications.
  • This close call highlights a sophisticated supply chain attack, feared to surpass the impact of the SolarWinds breach in 2020.

Microsoft developer uncovered a hidden Linux backdoor, preventing a potential widespread security disaster.

Last week, an “urgent” Linux backdoor was accidentally discovered. Red Hat urgently warned that recent versions of Fedora operating systems contained malicious code for backdoor access, and Debian issued a similar warning.

A security issue was averted after a Microsoft software engineer, Andres Freund, stumbled upon a backdoor deliberately embedded in xz Utils, an open-source data compression toolkit used in Linux and all Unix-like operating systems.

Thanks to the diligence of a Microsoft software engineer, a catastrophe was prevented. However, this still represents a serious incident as the backdoor update was about to be added to major Linux operating systems.

xz Utils is found everywhere Linux is present, providing a very effective data compression and decompression function and supporting the legacy .Izma format.

Freund was working on Microsoft’s PostgreSQL system when he was occupied with troubleshooting. SSH logins, the protocol for logging into devices over the internet remotely, took up too many CPU cycles and ran into problems with Valgrind, a computer memory tool.

With some fortune, Freund’s endeavors led him to discover the source of the issue. Those were the updates applied to xz utils, enabling him to raise the alarm.

On March 29, he accessed the Open Source Security List to detail the updates after malicious actors had placed the backdoor into the software in a venture likely to have taken years to construct.

Software and cryptography expert Filippo Valsorda spoke on the magnitude of this incident, which came so close to full impact and would likely have exceeded the scale of SolarWinds in 2020.

“This might be the best-executed supply chain attack we’ve seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library,” he stated.

The dangerous code inserted into Xz Utils versions 5.6.0 and 5.6.1 would have been able to modify how the software works.

It is unknown what code the hackers intended to deploy, but they would effectively have been able to cause excessive damage by stealing encryption keys or installing malware.