Unveiling the OSS XZ Utils backdoor attempt: a legal perspective
24 April 2024
In recent times, the software development landscape has been shaken by the discovery of backdoor attempts within open-source software (OSS). This has raised pertinent legal concerns for businesses relying on such platforms (for example, OpenSSL’s ‘Heartbleed’ in 2014 and Log4j’s ‘Log4Shell’ in 2021).
Another incident that warrants scrutiny is the backdoor attempt within the OSS XZ Utils which was discovered on 29 March 2024. This incident highlights the inherent risks associated with utilising OSS and the critical importance of robust legal frameworks in software procurement.
The XZ Utils backdoor attempt
XZ Utils is a compression library widely used in various software applications and systems, including Linux operating systems which is the world’s leading operating system on servers.
Malicious code was inserted into XZ Utils by an anonymous contributor. This malicious code would have served as a ‘master key’, allowing attackers to steal encrypted data or plant other malware.
This attempt, while swiftly addressed by vigilant developers, was discovered largely by chance, underscoring the vulnerability of OSS to malicious intrusions.
Risks of OSS utilization
The allure of OSS lies in its accessibility, collaborative nature, and cost-effectiveness. However, the XZ Utils incident serves as a stark reminder of the risks inherent in relying on OSS. These risks include:
- Security vulnerabilities: unlike proprietary software, which is closely guarded by its developers, OSS is subject to scrutiny by a vast community of contributors. While this fosters transparency, it also exposes the software to potential vulnerabilities if malicious actors manage to infiltrate the development process.
- Compliance challenges: open-source licences come with a myriad of obligations and restrictions. Failure to adhere to these licences can result in legal repercussions, including costly litigation and damage to a company’s reputation.
- Dependency risks: many businesses unknowingly rely on OSS components within their proprietary software. Any vulnerabilities or backdoor attempts within these components can pose a significant threat to the security and integrity of the entire system.
Mitigating legal risks in software procurement
In light of the risks associated with OSS, businesses must adopt proactive measures to mitigate legal vulnerabilities in their software procurement processes. Key strategies include:
- Due diligence: prior to integrating software into their systems, businesses should conduct comprehensive due diligence to assess the security posture and licensing obligations associated with the software. This includes scrutinising the software’s development practices, vulnerability management processes and licence compatibility with existing systems.
- Contractual safeguards: when procuring software licences, businesses must negotiate robust contractual provisions that address key legal concerns, including warranties, indemnities and audit rights. Contracts should clearly delineate each party’s responsibilities regarding security, compliance (for example, with OSS licence terms), and intellectual property rights.
- Continuous monitoring and compliance: software procurement is not a one-time endeavour and requires ongoing monitoring and compliance management to ensure that software components remain secure and compliant with legal requirements. Implementing automated tools and processes for vulnerability scanning and licence tracking can help businesses stay ahead of potential risks.
- Engagement with lawyers: given the complex legal landscape surrounding software procurement, businesses should engage with lawyers specialising in technology and intellectual property law. Lawyers can provide helpful guidance in navigating licencing agreements, mitigating risks and responding to legal challenges.
The Birketts view
The OSS XZ Utils backdoor attempt serves as a wake-up call for businesses regarding the legal risks associated with OSS utilisation. By adopting a proactive approach to software procurement, including thorough due diligence, robust contractual safeguards, continuous monitoring and engagement with legal experts, businesses can effectively mitigate these risks and safeguard their operations in an increasingly digitised world. As the software ecosystem continues to evolve, maintaining vigilance and prioritising legal compliance will be paramount for businesses seeking to leverage the benefits of OSS while safeguarding against potential pitfalls.
If you would like any assistance in relation to software procurement or distribution please do not hesitate to get in touch with your main contact at Birketts or contact Jack Shreeve on [email protected] or Joseph Thompson on [email protected].
Services
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at April 2024.