Have you ever heard of XZ Utils? It’s a handy tool for data compression in Linux systems that’s widely used but not well-known outside the world of open-source software. However, last week, security experts uncovered a serious flaw in XZ Utils that could leave networked Linux computers open to malicious attacks.

This vulnerability is no small matter. A skilled hacker exploiting this flaw could potentially take control of vulnerable Linux systems, including those used worldwide in email and web servers and application platforms. That means the device you’re using to read this right now could have been affected! 

While significant software vulnerabilities like the SolarWinds hack and the Heartbleed bug are not new, this one is particularly worrisome because it took advantage of how open-source software development often works. Like many open-source projects, XZ Utils is primarily maintained by a single volunteer working in their spare time. This system has created enormous benefits for the world through free software but also carries unique risks.

So, here’s a quick refresher on open-source software. Most commercial software, such as the Windows operating system or the Instagram app, is “closed-source” – which means nobody except its creators can read or modify the source code. In contrast, with “open-source” software, the source code is openly available, and people are free to do what they like.

Open-source software is everywhere, particularly in the “nuts and bolts” of software consumers don’t see, and is hugely valuable. In fact, one recent study estimated the total value of open-source software today at $8.8 trillion.

Two years ago, a developer named Lasse Collin maintained the XZ Utils project. Around that time, Jia Tan submitted an improvement to the software. Little did Collin know, but Jia Tan was not who they appeared to be. 

Over the next two years, Jia Tan became more and more involved, and eventually, they introduced a carefully hidden weapon into the software’s source code. The revised code secretly alters another piece of software, a ubiquitous network security tool called OpenSSH, so that it passes malicious code to a target system. As a result, a specific intruder can run any code they like on the target machine.

The latest XZ Utils version containing the backdoor was set to be included in popular Linux distributions and rolled out worldwide. However, a Microsoft engineer investigating memory irregularities on his system caught the malicious code before it was too late.

What does this incident mean for open-source software? Despite initial appearances, it doesn’t mean open-source software is insecure, unreliable, or untrustworthy. Because all the code is available for public scrutiny, developers worldwide could rapidly begin analyzing the backdoor and the history of how the malicious agent implemented it. These efforts could be documented, distributed, and shared, and the specific malicious code fragments could be identified and removed.

A response on this scale would not have been possible with closed-source software. An attacker would need to take a different approach to target a closed-source tool, perhaps by posing as a company employee for an extended period and exploiting the weaknesses of the closed-source software production system. However, if they did achieve such a backdoor in proprietary software, large-scale, distributed code auditing would be impossible.

Stay safe out there!

This post is derived from an original article by Sigi Goode, Professor of Information Systems,  Australian National University posted on The Conversation.