Why do they say "almost" infected the world? At least 3 quite popular Linux distributions (arch, gentoo, and opensuse tumbleweed) ended up shipping the backdoor _for weeks_ , and it was most definitely working in at least tumbleweed. For weeks! A backdoored ssh! Hardly "almost".
Arch and Gentoo are fairly popular as hobbyist distributions but they’re far less common in professional use, especially for the servers running SSH which this attack targeted. That doesn’t mean what happened is in any way okay but if this hadn’t been noticed long enough to make it into RHEL or Debian/Ubuntu stable you would be hearing about it in notifications from your bank, healthcare providers, etc. A pre-auth RCE would mean anyone who doesn’t have a tightly-restricted network and robust flow logging would struggle to say that they hadn’t been affected.
aye, this. RHEL is the industry standard and if you're not using that because you want Enterprise Support than you're using a derivative like Fedora, CentOS, or Rocky. Or else you hang out in the .deb side and use Debian or Ubuntu.
Arch is popular with a niche group of end users, but that ain't what most enterprise architectures are working on.
It doesn't seem to have been actually included in the Arch (binary) package but only because the backdoor build system itself didn't include the backdoor for Arch. If you cmp -l liblzma.so.5.6.1 between xz-5.6.1-1 and xz-5.6.1-2 there are only tiny differences. I'm guessing they didn't notice this before writing the advisory.
That’s because one of the first stages of the backdoor, that’s actually running at build time, checks if the distro is DEB or RPM based and aborts otherwise
I think the message would more likely be "don't use open source and pay for closed source" than "give money to open source and cross your fingers that it does something".
It might be riskier (because you'd have to identify yourself with government documents) to plant a backdoor in a similar way at a large, proprietary software vendor like Microsoft. But I don't know that it would be harder. And in the case of proprietary software there would not be nearly as much public scrutiny, and the scrutinizing public would have fewer resources for inspecting it.
Either way, it gives more jobs and $$$ to software developers in general. I'm fine with both :)
Just imagine how many more jobs will be created if every large company decides to roll their own stuffs. A lot are actually doing this, but not enough.
If that is the takeaway the industry takes from this, it will be a huge mistake. We are talking about this at all precisely because it was open source. Commercial closed source software can simply be assumed to be compromised. We know of enough instances of it happening that if you still have a knee-jerk "oh that sounds like a conspiracy theory" reaction to that claim, you need to recalibrate your conspiracy theory meter, quickly.
Also F5 or Citrix: some of their core security products had 90s-style C exploits and other signs of development practices well behind the times - roughly at the level of going to surgery and seeing your surgeon not washing their hands in the bathroom.
Yeah I'm not implying that's the way to go, but thinking since something open source was compromised that it will encourage businesses to donate is wishful thinking.
This might solve the original author's issues, AND might also attract other people to do the job. The more people, the more eyes. It's definitely not a silver bullet, but I would be surprised that OSS maintainers are fine with the current financial arrangement, or lack of it.
Money itself doesn't necessarily cure mental health issues. I'm mean it usually doesn't hurt, but it's not like you can blend cash up into a smoothy and cure depression. (Yes, that's a South Park reference.)
Arch and Gentoo were also not supported, although the code shipped, because the exploit explicitly checked for RPM- and deb-packaged distros.
Suse is RPM based, but don’t remember whether the check was for the utilities or another method — Suse uses zypper for package management, as opposed to yum/dnf on the far more popular RedHat-based distros, so it depends how the exploit checked.
