Close Menu
Technology Mag

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    8BitDo’s new collection celebrates the NES’s 40th anniversary

    October 18, 2025

    TiVo won the court battles, but lost the TV war

    October 18, 2025

    Motorola’s Razr Ultra and the Marshall Emberton II top this week’s best deals

    October 18, 2025
    Facebook X (Twitter) Instagram
    Subscribe
    Technology Mag
    Facebook X (Twitter) Instagram YouTube
    • Home
    • News
    • Business
    • Games
    • Gear
    • Reviews
    • Science
    • Security
    • Trending
    • Press Release
    Technology Mag
    Home » The XZ Backdoor: Everything You Need to Know
    Security

    The XZ Backdoor: Everything You Need to Know

    News RoomBy News RoomApril 6, 20245 Mins Read
    Facebook Twitter Pinterest LinkedIn Reddit WhatsApp Email

    On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in XZ Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

    “This might be the best executed supply chain attack we’ve seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library,” software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.

    Researchers have spent the weekend gathering clues. Here’s what we know so far.

    What Is XZ Utils?

    XZ Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. XZ Utils provides critical functions for compressing and decompressing data during all kinds of operations. XZ Utils also supports the legacy .lzma format, making this component even more crucial.

    What Happened?

    Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.

    Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to XZ Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

    It’s hard to overstate the complexity of the social engineering and the inner workings of the backdoor. Thomas Roccia, a researcher at Microsoft, published a graphic on Mastodon that helps visualize the sprawling extent of the nearly successful endeavor to spread a backdoor with a reach that would have dwarfed the SolarWinds event from 2020.

    What Does the Backdoor Do?

    Malicious code added to xz Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it’s not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware.

    Wait, How Can a Compression Utility Manipulate a Process as Security-Sensitive as SSH?

    Any library can tamper with the inner workings of any executable it is linked against. Often, the developer of the executable will establish a link to a library that’s needed for it to work properly. OpenSSH, the most popular sshd implementation, doesn’t link the liblzma library, but Debian and many other Linux distributions add a patch to link sshd to systemd, a program that loads a variety of services during the system bootup. Systemd, in turn, links to liblzma, and this allows XZ Utils to exert control over sshd.

    How Did This Backdoor Come to Be?

    It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.

    The following year, JiaT75 submitted a patch over the XZ Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of XZ Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

    In January 2023, JiaT75 made their first commit to XZ Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in XZ Utils affairs. For instance, Tan replaced Collins’ contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to XZ Utils.

    In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of XZ Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into several releases, according to security firm Tenable. There’s more about Tan and the timeline here.

    Can You Say More About What This Backdoor Does?

    In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.

    Multiple people who have reverse-engineered the updates have much more to say about the backdoor. Developer Sam James provided an overview here.

    Share. Facebook Twitter Pinterest LinkedIn WhatsApp Reddit Email
    Previous ArticleElon Musk says Tesla will reveal its robotaxi on August 8th
    Next Article The Earth Will Feast on Dead Cicadas

    Related Posts

    Don’t Fall for Sketchy iPhone VPNs—Here Are the Only 3 You Should Use

    October 18, 2025

    A New Attack Lets Hackers Steal 2-Factor Authentication Codes From Android Phones

    October 16, 2025

    North Korean Scammers Are Doing Architectural Design Now

    October 16, 2025

    ICE Wants to Build Out a 24/7 Social Media Surveillance Team

    October 14, 2025

    Satellites Are Leaking the World’s Secrets: Calls, Texts, Military and Corporate Data

    October 14, 2025

    ‘Happy Gilmore’ Producer Buys Spyware Maker NSO Group

    October 14, 2025
    Our Picks

    TiVo won the court battles, but lost the TV war

    October 18, 2025

    Motorola’s Razr Ultra and the Marshall Emberton II top this week’s best deals

    October 18, 2025

    The future I saw through the Meta Ray-Ban Display amazes and terrifies me

    October 18, 2025

    Don’t Fall for Sketchy iPhone VPNs—Here Are the Only 3 You Should Use

    October 18, 2025
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    • YouTube
    • Vimeo
    Don't Miss
    News

    Facebook’s new button lets its AI look at photos you haven’t uploaded yet

    By News RoomOctober 17, 2025

    Meta has rolled out an opt-in AI feature to its US and Canadian Facebook users…

    AI can’t even turn on the lights

    October 17, 2025

    Pokémon Legends: Z-A Rotom Phone review: better camera, higher jumps

    October 17, 2025

    Amazon’s Ring now works with video surveillance company Flock

    October 17, 2025
    Facebook X (Twitter) Instagram Pinterest
    • Privacy Policy
    • Terms of use
    • Advertise
    • Contact
    © 2025 Technology Mag. All Rights Reserved.

    Type above and press Enter to search. Press Esc to cancel.