If you’re in tech and not in a coma, you will have at least heard of the recent attempt to inject malware through the xz (de)compression utility. The technical press, as is its wont, has been blasting the story all over the Internet. They have, of course, as is also their wont, got large parts of the story incorrect and pawned off speculation and misinterpretation as informed commentary.
Many stories stated that “unix-like” systems were affected by the exploit. Does that mean macOS users should worry? What about users of FreeBSD and the other BSD distributions? The short answer is no. Only x86-64 Linux systems are at risk.
Christian “naddy” Weisgerber is the maintainer of the archivers/xz port for OpenBSD so, of course, he was very interested in this and took a close look at the malware injection process. His TL;DR is that the injection script explicitly aborts if it’s not running on an x86-64 Linux system.
He has a long post on the openbsd-misc mailing list that details his findings. The malware author(s) went to great pains to hide what they were doing. The process proceeds in several stages with each stage removing the obscuration from the next stage. The malicious code was hidden in two “test” files that purportedly tested the decompression. These files, by themselves, seemed completely innocuous even when examined.
Weisgerber’s post is a good overview of what was going on and should interest any security nerds out there. The post doesn’t go into the low level details so it’s interesting even if your aren’t concerned with the nitty-gritty.