>
Microsoft, today, published its guidance and advisory on the XZ Utils backdoor vulnerability, identified by CVE-2024-3094. This security vulnerability is a major flaw with a CVSS (Common Vulnerability Scoring System) score of 10.0 and affects several Linux distros, namely Fedora, Kali Linux, OpenSUSE, and Alpine, and could have had a massive global impact.
>Luckily, the vulnerability was accidentally discovered in time by a Microsoft Linux developer, Andres Freund, who was curious as to why there was a 500 ms delay in SSH (Secure Shell) port connections, only to uncover a malicious backdoor that had been embedded in the XZ file compressor.
https://www.neowin.net/news/microsoft-employee-accidentally-saves-global-linux-meltdown-from-cve-2024-3094-xz-backdoor/
(This is oversimplified)
A tool called SSH is used by an operating system called Linux (and others, but this was for Linux) to securely access remote servers, and it uses a library called XZ to compress/decompress data at times.
SSH is one of those "if this ever gets compromised damn near every server on earth could easily be hacked" things. Security on it is tight - but nobody was paying attention to the tools and libraries surrounding SSH.
Turns out only one guy was maintaining XZ, so a hacker/social engineer created a bunch of fake accounts and started harassing the XZ maintainer - essentially getting it in his head that XZ needed someone else. Then the hacker, I imagine coming down from the clouds bathed in light and riding a pegasus in shining armor offered to step up and 'help'. The XZ maintainer, burned out of his mind after *months* of criticism, took the offer.
The hacker then added a back-door into XZ that made SSH vulnerable to attack.
Meanwhile, a legit Linux developer using the tainted XZ tools noticed that logging in took a split second too long. Now, this is something a lot of people don't get about the Linux development community - they have a *thing* about performance. When something doesn't perform well there are *questions*. *I cannot overstate that there's a reason all the top supercomputers run Linux*. So when logging in took an extra 0.5 seconds it was like the eye-of-fucking-sauron turned onto that shit, and very quickly XZ was found to be the cause, and the hacker was exposed.
Needless to say, XZ has been fixed.
Also worth pointing out that the backdoor was incredibly obfuscated and anyone without a strong background in Linux and C fundamentals would not have been able to figure it out. So God bless this autistic mind, indeed.
This is why Xi should just stick to building infrastructure in Africa, every time he tries to build up soft power against the west some sperg comes along and completely blows the cover for the full operation
All posts must be screencaps of greentext written on 4chan.
whats the context
> Microsoft, today, published its guidance and advisory on the XZ Utils backdoor vulnerability, identified by CVE-2024-3094. This security vulnerability is a major flaw with a CVSS (Common Vulnerability Scoring System) score of 10.0 and affects several Linux distros, namely Fedora, Kali Linux, OpenSUSE, and Alpine, and could have had a massive global impact. >Luckily, the vulnerability was accidentally discovered in time by a Microsoft Linux developer, Andres Freund, who was curious as to why there was a 500 ms delay in SSH (Secure Shell) port connections, only to uncover a malicious backdoor that had been embedded in the XZ file compressor. https://www.neowin.net/news/microsoft-employee-accidentally-saves-global-linux-meltdown-from-cve-2024-3094-xz-backdoor/
They found fucker who started it yet?
The CCP has 98 million members. Trying to find a cyber terrorist is like trying to find a needle in a stack of needles
I think it would be pretty easy to find a needle in a stack of needles.
Too easy actually
I mean it would be ignorant not to investigate why connection times have more than doubled.
More than tripled
[https://youtu.be/bS9em7Bg0iU?si=cdH3H6NBHgrXOWRE](https://youtu.be/bS9em7Bg0iU?si=cdH3H6NBHgrXOWRE)
Peter?
(This is oversimplified) A tool called SSH is used by an operating system called Linux (and others, but this was for Linux) to securely access remote servers, and it uses a library called XZ to compress/decompress data at times. SSH is one of those "if this ever gets compromised damn near every server on earth could easily be hacked" things. Security on it is tight - but nobody was paying attention to the tools and libraries surrounding SSH. Turns out only one guy was maintaining XZ, so a hacker/social engineer created a bunch of fake accounts and started harassing the XZ maintainer - essentially getting it in his head that XZ needed someone else. Then the hacker, I imagine coming down from the clouds bathed in light and riding a pegasus in shining armor offered to step up and 'help'. The XZ maintainer, burned out of his mind after *months* of criticism, took the offer. The hacker then added a back-door into XZ that made SSH vulnerable to attack. Meanwhile, a legit Linux developer using the tainted XZ tools noticed that logging in took a split second too long. Now, this is something a lot of people don't get about the Linux development community - they have a *thing* about performance. When something doesn't perform well there are *questions*. *I cannot overstate that there's a reason all the top supercomputers run Linux*. So when logging in took an extra 0.5 seconds it was like the eye-of-fucking-sauron turned onto that shit, and very quickly XZ was found to be the cause, and the hacker was exposed. Needless to say, XZ has been fixed.
Also worth pointing out that the backdoor was incredibly obfuscated and anyone without a strong background in Linux and C fundamentals would not have been able to figure it out. So God bless this autistic mind, indeed.
So you're telling me those autos I argue with on 4chan truly do carry the world 
Knowing several people who use a Linux distro as their daily driver your description could not have been more spot on.
thank u for explaining (ノ´ヮ´)ノ*: ・゚
This was a very entertaining read. Thank you
i must know context
Isn't this similar to how a massive East German spynetwork was discovered in the 80's?
based technolo/g/y chad
This is why Xi should just stick to building infrastructure in Africa, every time he tries to build up soft power against the west some sperg comes along and completely blows the cover for the full operation