Tell HN: XZ: Windows Potentially Affected

4 points

2 years ago

Microsoft expanded Explorer's list of supported archive formats in Windows 11 KB5031455 (Oct 31, 2023). See discussion: https://news.ycombinator.com/item?id=38084314 (the question of security has been raised)

It uses libarchive, which, I believe, depends on XZ.

To clarify, it is not affected by the specific vulnerability, but since the XZ seems to have been maintained by a bad actor for 2 years, there might be other ones.

The update in question: https://support.microsoft.com/en-us/topic/october-31-2023-kb5031455-os-builds-22621-2506-and-22631-2506-preview-6513c5ec-c5a2-4aaf-97f5-44c13d29e0d4