Announcement

**avis** · 29 March 2024, 06:29 PM

Here's a funny bit: "Incidentally, the bug was discovered by a Microsoft employee running valgrind tests on their Linux+Postgres system updates for Azure".

Hopefully this will placate all the conspirologists in this thread. I'm now reading the Ars Technica discussion and oh boy it's so much more factual and pleasant than crazy conspiracy theories and accusations thrown here as an "excuse" for this accident.

**quaz0r** · 29 March 2024, 06:31 PM

avis is an obvious and shameless shill. calc wins the comment section today.

**Monsterovich** · 29 March 2024, 06:41 PM

Originally posted by avis View Post

've addressed this comment earlier. Had Microsoft ever done that, they would have suffered massive losses to the tune of billions of dollars, lost crucial markets or/and companies altogether and had lots of people imprisoned/fined/fired. It's insane to believe that the profit driven company would risk so much, just to appease someone, not to mention that MS/Apple/Google products are used by security agencies and governments. I'm sorry to say this, but your insinuations are pure lunacy.

They don't care about any losses because they have shady agreements with governments and tons of money. Many users and companies depend on MS and Apple, so corporations have a good amount of power over them. So they can put whatever malware they want in there, and even if it turns out it's there, there's nothing you can do.

**avis** · 29 March 2024, 06:41 PM

Originally posted by quaz0r View Post

avis is an obvious and shameless shill. calc wins the comment section today.

Wins how? I've not heard a single valid counter-argument from him. Are you referring to the article in TheRegister that he mentioned? The article that's talking about a "possible" backdoor in Microsoft Outlook which has never been found?

If you, sir, are biased against reality and facts, you're welcome to side with calc. Be my guest. I'm not a fan of confirmation bias which is seemingly very close to your heart.

**sophisticles** · 29 March 2024, 06:43 PM

Originally posted by spicfoo View Post

Michael is wrong. Go read the original sources. There is no such update for "Fedora 41" because it hasn't branched for development yet. The only update linked in the Red Hat blog is for Fedora 40.

Is Red Hat also wrong?

Urgent security alert for Fedora 41 and Fedora Rawhide users

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.

What distributions are affected by this malicious code?

Current investigation indicates that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem.

**LightBit** · 29 March 2024, 06:43 PM

Originally posted by avis View Post

I'm not a fan of conspiracies.

What conspiracies?

**avis** · 29 March 2024, 06:44 PM

Originally posted by Monsterovich View Post

They don't care about any losses because they have shady agreements with governments and tons of money. Many users and companies depend on MS and Apple, so corporations have a good amount of power over them. So they can put whatever malware they want in there, and even if it turns out it's there, there's nothing you can do.

You started with a wild conspiracy, now you've taken it a step further. Nothing you've said is based in reality and I'm not interested in discussing the things that are the product of your wild imagination. Sorry, I'll leave you right there.

**sophisticles** · 29 March 2024, 06:44 PM

Originally posted by Volta View Post

Imagine Windows trolls talking about security and code review! They have outdone themselves.

Imagine Linux trolls talking about security and code review! They have outdone themselves.

Much better.

**sophisticles** · 29 March 2024, 06:51 PM

Originally posted by kozman View Post

I've used Windows since 89 and I too have not remembered hearing about any *known* or intentional backdoors. There's always been rumors for Bitlocker but it's yet to be proven. It doesn't mean there might not be one. No one has access to the code to qualify it. And yes, tons of vendors have been publicly busted for back doors. I hope you are >not< saying that a chain of vulnerabilities in aggregate cannot be manifested as a back door. A back door doesn't just have to just be an app running silently in the background or what this yoyo did to XZ. I'm not claiming to be a coder here but the basic idea of a backdoor has expanded since the old days.

Windows code is available for auditing:

Microsoft | Shared Source Initiative

https://www.microsoft.com/en-us/sharedsource/enterprise-source-licensing-program.aspx

The Enterprise Source Licensing Program (ESLP) licenses Microsoft Windows source code to qualified enterprise customers. The ESLP provides source code for most major releases and service packs of Windows (client and server).

Windows source code has been audited many times.

Also, the confirmed source code for Win XP is available online:

Windows XP source code leaks online

https://www.theverge.com/2020/9/25/21455655/microsoft-windows-xp-source-code-leak

This leak is the latest in a series of Windows and Xbox source code leaks

**avis** · 29 March 2024, 06:59 PM

Our guy (JiaT75 - Jia Tan) has made contributions to MSVC as well:

What's new for the Microsoft C++ docs

https://learn.microsoft.com/en-US/cpp/overview/whats-new-cpp-docs?view=msvc-170#community-contributors

A list of new articles and doc updates for the Microsoft C/C++ compiler, ATL/MFC, C runtime, and standard library docs.

The plot thickens.

Announcement

XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment