Announcement

**avis** · 29 March 2024, 05:34 PM

Originally posted by Monsterovich View Post

Malicious code is already built into the OS such as Windows, and since the code is closed, you don't know that there is a virus in there.

You're welcome to prove that. Windows can be downloaded for free from https://www.microsoft.com/software-download/windows11

Maybe you could stop with conspiracies so popular among Open Source fans.

**tildearrow** · 29 March 2024, 05:34 PM

Originally posted by salvaju29ro View Post

If I update XZ to the correct version is it enough to eliminate the backdoor? I'm not very expert

Downgrade to XZ 5.4.6 for now.
Whenever XZ 5.6.2 is released, upgrade to it.

**avis** · 29 March 2024, 05:40 PM

Originally posted by tildearrow View Post

Downgrade to XZ 5.4.6 for now.
Whenever XZ 5.6.2 is released, upgrade to it.

If the person's systems have been accessed/compromised, the only "workaround" is to wipe everything he's ever accessed from them and reset all the passwords.

**calc** · 29 March 2024, 05:43 PM

Originally posted by avis View Post

You've showed an unpatched vulnerability. Looks like you don't understand the difference between "backdoor" and "vulnerability". Please don't reply to my comments any longer. I won't be reading yours as well. Peace out.

Companies that need to install backdoors into hardware/software that can be inspected, and aren't grossly incompetent, do so via intentional "vulnerabilities", otherwise once an obvious backdoor was found it would be the end of that company at least for any customer that values security at all.

So the lack of obvious backdoors in shipped hardware/software is not proof of lack of intentionally making backdoors possible, eg the Apple backdoor mentioned in page 7 of this thread.

And you completely ignored the fact that CVEs are not for managed services despite you asking for a CVE related to one in an earlier comment.

Your arguments come off like you are an intern for the DoD, they are definitely not very good counter arguments but at least you are trying.

**avis** · 29 March 2024, 05:48 PM

An update from Suse which basically confirms what I've just said:

For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited. Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible. Also rotation of any credentials that could have been fetched from the system is highly recommended.

calc

Won't be reading this like I promised. Continue to debate this with someone else.

**Monsterovich** · 29 March 2024, 05:57 PM

Originally posted by avis View Post

You're welcome to prove that. Windows can be downloaded for free from https://www.microsoft.com/software-download/windows11

Maybe you could stop with conspiracies so popular among Open Source fans.

There is no way to prove or disprove that. Uncertainty is worse than certainty. Closed-source software is potentially dangerous, especially software developed by corporations. Especially by corporations with selfish interests, such as Apple and MS.

**Nocturnal64** · 29 March 2024, 06:01 PM

Originally posted by avis View Post

You're welcome to prove that. Windows can be downloaded for free from https://www.microsoft.com/software-download/windows11

Maybe you could stop with conspiracies so popular among Open Source fans.

Current versions of Windows forces you to install the updates from their server from time to time - this alone is a backdoor

Corporations were spreading malware/backdoors since decades - sometimes willingly, sometimes not. Remember the Sony rootkit scandal, where audio CD was installing a software which was "calling home" whether the user agreed or not? Or the ASUS motherboard software update, which was spreading the ShadowHammer malware few years ago? There was a malware distributed with CCleaner. And so on…

[edit] There were cover CDs with malware in my country. Even Microsoft did ship some CDs containing malware, namely the Solution Provider CD. Sega did ship the malware with the Atelier Marie game. And so on..

**avis** · 29 March 2024, 06:05 PM

Originally posted by Monsterovich View Post

There is no way to prove or disprove that. Uncertainty is worse than certainty. Closed-source software is potentially dangerous, especially software developed by corporations. Especially by corporations with selfish interests, such as Apple and MS.

I've addressed this comment earlier. Had Microsoft ever done that, they would have suffered massive losses to the tune of billions of dollars, lost crucial markets or/and companies altogether and had lots of people imprisoned/fined/fired. It's insane to believe that the profit driven company would risk so much, just to appease someone, not to mention that MS/Apple/Google products are used by security agencies and governments. I'm sorry to say this, but your insinuations are pure lunacy.

Originally posted by Nocturnal64 View Post

Current versions of Windows forces you to install the updates from their server from time to time - this alone is a backdoor

Corporations were spreading malware/backdoors since decades - sometimes willingly, sometimes not. Remember the Sony rootkit scandal, where audio CD was installing a software which was "calling home" whether the user agreed or not? Or the ASUS motherboard software update, which was spreading the ShadowHammer malware few years ago? There was a malware distributed with CCleaner. And so on…

They distribute exactly the same updates to everyone. Also, would be great if you showed a single case of MS pushing "malware updates". I dare you.

Phoning home is not malware.
ASUS was hacked.
CCleaner is a minor ISV and all bets are off.

Again I've asked to show malware being willingly distributed by MS/Google/Apple and we are now close to 90 comments here and not a single proof. A ton of whataboutism though. Have a nice day.

**LightBit** · 29 March 2024, 06:10 PM

Originally posted by avis View Post

You've showed an unpatched vulnerability. Looks like you don't understand the difference between "backdoor" and "vulnerability". Please don't reply to my comments any longer. I won't be reading yours as well. Peace out.

Good backdoor looks like accidental vulnerability.

If it would not be open source, it would probably not be discovered at all. It would not be possibile to discover that source tarbal is different than git. If it would be discovered, there would be no evidence of anything malicious.

**avis** · 29 March 2024, 06:22 PM

The malware author has managed to push updates into the Linux kernel as well:

[PATCH 00/11] xz: Updates to license, filters, and compression options

https://lore.kernel.org/lkml/[email protected]/t/

It's all good.

Originally posted by LightBit View Post

Good backdoor looks like accidental vulnerability.

If it would not be open source, it would probably not be discovered at all. It would not be possibile to discover that source tarbal is different than git. If it would be discovered, there would be no evidence of anything malicious.

I'm not a fan of conspiracies. Have a nice day.

Announcement

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment