← Back to context

Comment by jiggawatts

14 hours ago

Conversely, this kind of attack: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

...is essentially impossible to pull off against commercial operating systems, because their core components are all written in-house by staff with photo ID badges, details with HR, tax returns filed with the government, and a cubicle that makes sure that they're locals and not some faceless anonymous hacker identifiable by nothing other than a throwaway faked email address!

I get that there was a lot of "stigma" about open source, the world largely forgot about it, but... actually, in this sense of allowing anonymous contributions it remains a very real risk.

"Jia Tan" was almost certainly a paid professional hacker working for a nation-state actor. Their "helpful contributions" to XZ utils was nowhere near a full-time effort. They certainly had "other irons on the fire", most probably in the Linux kernel or immediately adjacent to it.

He's probably not the only one doing this kind of "work".

For all you know, Linux has more remote exploits purposefully baked into it than Windows has security bugs inadvertently left in it... and don't forget Linux has bugs leading to security vulnerabilities too!

A rough count of "named" CVE 10.0 score (or close to it) vulns in the last 5 years:

7 for Microsoft: ProxyLogon, ProxyShell, ProxyNotShell, LDAPNightmare, PrintNightmare, noPac, Follina

10 for Linux: XZ Utils, regreSSHion, Leaky Vessels, Copy Fail, PwnKit, Dirty Pipe, Looney Tunables, GameOver(lay), Baron Samedit, Sequoia

1 comment

jiggawatts

Reply
d3Xt3r  12 hours ago

Windows has had a lot more named high-CVEs than that: MonikerLink, QueueJumper, Certifried, HiveNightmare...

As for "Linux", you'd need to specify the distro and environment, because Linux systems can be very different from one another. Your XZ example for instance didn't even affect most enterprise distros (like RHEL). regreSSHion didn't affect any musl libc distros like Alpine, but other systems would've also been unaffected had you set your LoginGraceTime to 0, which any sysadmin worth their salt would've done so. Leaky Vessels fails on SELinux enforcing distros (RHEL, Fedora etc) and sandboxed environments. I could go on, but you get the picture. Comparing the number of "Linux" vulnerabilities to Windows is completely pointless.