Alex posted the other day about some issues with specific RedHat distros. But there’s a tad more to the story than just some bad software that was fix
[See the full post at: The attackers want to wiggle in]
Susan Bradley Patch Lady/Prudent patcher
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
The attackers want to wiggle in
- This topic has 18 replies, 6 voices, and was last updated 1 year, 1 month ago.
AuthorViewing 11 reply threadsAuthor-
-
I think Open Source is more vulnerable to hackers even under ‘thousands’ watchful eyes.
What evidence, other than anecdotal, do you have to support that?
A few quick searches on Mitre’s CVE site…
1 user thanked author for this post.
-
-
-
-
Commentary from the Linux world…
1 user thanked author for this post.
-
-
Only 16/64 security vendors and no sandboxes flagged this file as malicious
trojan.xzbackdoor
2 users thanked author for this post.
-
From the original article:
“It was a backdoor that nearly entered into all Linux distributions.”
I think that is an overstatement.
Most Linux distros use a periodic release model, where most packages are kept in a given version, or as close as possible, for the duration of time that release is supported. An upstream provider releasing a new version of a given package does not mean all of the distros will immediately push it out to users.
Even when it is time for a given distro to release a new version, it is typical that most or all of the packages with which it is released are not the completely new, up to date versions either. They will be newer than the previous release, but it does not mean they are anything close to the cutting edge, either.
Because of these factors, it can often take considerable time, even in the time frame of years, for a new version of anything to work its way into the PCs of Linux users. This is the case with Red Hat Enterprise Linux, which is much more oriented toward stability (API/ABI and lack of crashing both) than having the newest packages. Rawhide is their most experimental rolling branch, on the appropriately-named bleeding edge, but it is a long way from there to RHEL, Red Hat’s money-making product that is their reason to exist.
I saw that the perpetrator(s) of this crime hid their efforts by having the actual source code clean, so that anyone who inspected it would not find any trace of subterfuge, but the precompiled binary was another story. The miscreant(s) attempted to get distros to use the sabotaged binary blob rather than compiling it themselves. It is quite normal for distros to compile everything from source prior to packaging in the preferred format, and this demonstrates why. No one knows what is in a binary blob.
Most of the distros that pushed out the tainted blob were bleeding-edge rolling distros… Fedora Rawhide, OpenSUSE Tumbleweed, and Debian’s testing (non-release) distros. The lone exception among mainstream distros was Fedora 41, which is a periodic release distro that prides itself on being “cutting edge,” almost a rolling distro in terms of how up to date its packages are at any given time.
It would appear that the pressures of being “cutting edge” mean that the distros don’t always take the time to compile each binary themselves.
The outlier is Kali Linux, a specialized distro based on Debian Testing that is used for penetration testing and for showing off that the individual in question is a ”1337 h4x0r.” This distro is never meant to be used for use as a general purpose OS, and those who do anyway are already ignoring security, as it always runs as root, a huge security risk.
How likely it would be that other distros would distribute the prepackaged (tainted) binary is a good question. From what I know about the distro family I use (Ubuntu), I do not think the compromised code would have ever been pushed. As far as I know, Ubuntu compiled everything themselves that is not in their “restricted” subrepo.
Now that this event has shaken everyone up, it is even less likely that any distro is going to include someone else’s precompiled blobs. The way the bad actors wormed their way in and played the long con to become trusted contributors is going to be on everyone’s mind from here on out.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)7 users thanked author for this post.
-
How likely it would be that other distros would distribute the prepackaged (tainted) binary is a good question. From what I know about the distro family I use (Ubuntu), I do not think the compromised code would have ever been pushed. As far as I know, Ubuntu compiled everything themselves that is not in their “restricted” subrepo.
Why this delay then?
Ubuntu announcements — Noble Numbat Beta delayed (xz/liblzma security update)
It appears to me that the distributors don’t share your confidence that everything would have been fine even if Microsoft hadn’t noticed.
2 users thanked author for this post.
-
-
This is a demonstration of the principle of abundance of caution.
The version of XZ that was, and still is, slated to be included in 24.04 is the older, non-sabotaged version. Some packages were linked using the tainted version, though, and even though the tainted code is not included in those compiled packages (that would only happen with static linking, and these packages are dynamically linked), and even then only if the tainted XZ binary blob was used rather than the the locally compiled version, the principle of ‘abundance of caution’ dictates that things be rechecked and redone anyway, removing and redoing all packages linked against the tainted version, so that Ubuntu users and customers can be certain that Canonical has taken all possible steps to ensure the product they receive is safe.
This way, even if the source-compiled version of XZ did happen to contain the exploit (it doesn’t, as the attackers have made sure that their attack code cannot be analyzed by keeping it secret… closed-source, in essence), and even if the dynamic linking process did somehow statically link some part of the library, which is not the way it works, customers would still know they are protected.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)3 users thanked author for this post.
-
-
-
-
Susan Bradley Patch Lady/Prudent patcher
4 users thanked author for this post.
-
-
Very scary stuff!
“Leave the World Behind”, currently on Netflix, is an interesting take on what a cyberattack could do.
Good cast (Julia Roberts, Ethan Hawke, Kevin Bacon, et. al.)
1 user thanked author for this post.
-
Viewing 11 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
0Patch, where to begin
by 1 hour, 23 minutes ago
-
CFPB Quietly Kills Rule to Shield Americans From Data Brokers
by 4 hours, 22 minutes ago
-
89 million Steam account details just got leaked,
by 12 hours, 47 minutes ago
-
KB5058405: Linux – Windows dual boot SBAT bug, resolved with May 2025 update
by 12 hours, 56 minutes ago
-
A Validation (were one needed) of Prudent Patching
by 3 hours, 54 minutes ago
-
Master Patch Listing for May 13, 2025
by 6 hours, 17 minutes ago
-
Installer program can’t read my registry
by 5 hours, 53 minutes ago
-
How to keep Outlook (new) in off position for Windows 11
by 1 hour, 41 minutes ago
-
Intel : CVE-2024-45332, CVE-2024-43420, CVE-2025-20623
by 9 hours, 2 minutes ago
-
False error message from eMClient
by 1 day ago
-
Awoke to a rebooted Mac (crashed?)
by 1 day, 9 hours ago
-
Office 2021 Perpetual for Mac
by 1 day, 10 hours ago
-
AutoSave is for Microsoft, not for you
by 6 hours, 57 minutes ago
-
Difface : Reconstruction of 3D Human Facial Images from DNA Sequence
by 1 day, 13 hours ago
-
Seven things we learned from WhatsApp vs. NSO Group spyware lawsuit
by 14 hours, 54 minutes ago
-
Outdated Laptop
by 1 day, 19 hours ago
-
Updating Keepass2Android
by 2 days ago
-
Another big Microsoft layoff
by 2 days ago
-
PowerShell to detect NPU – Testers Needed
by 1 hour, 8 minutes ago
-
May 2025 updates are out
by 55 minutes ago
-
Windows 11 Insider Preview build 26200.5600 released to DEV
by 2 days, 6 hours ago
-
Windows 11 Insider Preview build 26120.3964 (24H2) released to BETA
by 2 days, 6 hours ago
-
Drivers suggested via Windows Update
by 2 days, 6 hours ago
-
Thunderbird release notes for 128 esr have disappeared
by 2 hours, 21 minutes ago
-
CISA mutes own website, shifts routine cyber alerts to X, RSS, email
by 2 days, 13 hours ago
-
Apple releases 18.5
by 2 days, 7 hours ago
-
Fedora Linux 40 will go end of life for updates and support on 2025-05-13.
by 2 days, 14 hours ago
-
How a new type of AI is helping police skirt facial recognition bans
by 2 days, 15 hours ago
-
Windows 7 ISO /Windows 10 ISO
by 23 hours, 46 minutes ago
-
No HP software folders
by 2 days, 23 hours ago
Remembering Woody
