/
XZ and You

XZ and You

Owned by Ed Bobak
Apr 03, 2024
1 min read

The xz (really, liblzma) attack was never possible on macOS.

  • The backdoor requires glibc, but Apple ships its own libc

  • The backdoor depended on systemd to load sshd - the actual injection mechanism attacked systemd which, for reasons links to liblzma. macOS doesn't include systemd at all; and

  • The backdoor code was only injected during build if make was run on (a) Linux and (b) when creating a dpkg or an rpm.

All that said, we are brute-force deleting xz 5.6.0 and 5.6.1 from the common Homebrew paths - /opt/homebrew/Cellar/xz/5.6.0/usr/local/Cellar/xz/5.6.0 - on all systems anyway. If someone installed brew in some other path, like their home directory, we are not going to seek it out and delete it.

Russ Cox (co-creator of Go, among other things) has a serious in-depth explanation: 

https://research.swtch.com/xz-script

Related content

Uninstalling Oracle Java in Izzy
Uninstalling Oracle Java in Izzy
Izzy Documentation
More like this
Gatekeeper and XProtect on Izzy Macs
Gatekeeper and XProtect on Izzy Macs
Izzy Documentation
More like this
Clearing TouchID fingerprints from a T2 / Apple Silicon Macs
Clearing TouchID fingerprints from a T2 / Apple Silicon Macs
Izzy Documentation
More like this
Organizations in Otto
Organizations in Otto
Otto
More like this