Microsoft, zlib, and Security Flaws

nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

Re:If we can't see MS's source

[Stonehand]

Quite a few people can, at universities and other sites. They just need to sign NDAs, that's all. Also, given that they take several hundred interns per year, and they aren't all fanatical Gates fans, there's a fair bit of opportunity for internal leaks as well.

InstallShield

[sharkey]

InstallShield is written and published by a company named InstallShield, and has been for many years. It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

hrm...

[Em+Emalb]

"The zlib library has been a fundamental open-source software component for almost a decade and can be found in almost every Linux and Unix system. That means the so-called "double free" flaw in the library may leave a hefty portion of Linux and Unix systems open to attack. Because it adopted some of the code, Microsoft apparently has made itself vulnerable to the flaw as well. "

Disclaimer: I am not a security weenie, so I don't know this for fact......*deep breath*....

If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?

*bash MS* bash bash bash....it's popular right?

Re:Win2k news thought...

[ghostlibrary]

Argh! Bad statistics alert!

"vulnerabilities found in Windows and all Linux flavors combined are almost the same"

So if I am running RedHat, Mandrake, SUSE, and Debian simultaneously, I have the same number of flaws as a single run of Win2k?

They should either use the average (among linux dists) or the max (ditto), vs Win. Or sum across all current Win flavors (ME, Win2k. maybe NT) to compare against all linux flavors (summed).

Argh!

Re:Seriously? Microsoft use open source code?

[DA-MAN]

And Windriver or whoever controlled BSDI at the time made some serious cash in that deal. They got paid to make the tcp/ip stack work well in 2000/XP and they've done a good job of it.

I just wonder if Microsoft was able to taint some of the BSD coders by allowing them to view their code. I'm sure integrating something like a TCP/IP stack required access to some 2000/XP src code. Anyone know?

Here is a list of apps vunerable

[ZaneMcAuley]

http://www.gzip.org/zlib/apps.html

At least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

"Borrowed"? Whats the license for zlib?

Re:notification issue

[garett_spencley]

I don't see it as the zlib author's responsibility to notify everyone that uses their library.

I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

Also the big problem with this security issue isn't programs that dynamically link to libz.so. Those are easy to fix because all you have to do is upgrade your zlib and they're automagically fixed.

It's the programs that statically link the zlib library (meaning it gets copied right into the actual binary at compile time) that you have to worry about because an ldd won't show you that.

Also many people use their own modified version of zlib (XFree86, rpm, rsync, the linux kernel etc.) and so those are very hard to catch as well.

Florian Weimer wrote a perl script which will check for binaries on your system that are statically linked. You can read his post to Bugtraq here.

--
Garett

Re:Seriously? Microsoft use open source code?

[leviramsey]

Either way, browsing other competitor products code whether its free, open GPL or whatever is gonna be risky for a business in legal terms.

How is reading, even verbatim copying, of BSD-licensed code risky in legal terms. The license explicitly allows incorporation into any type of software (commercial, open, or free). Microsoft could put out their own version of one of the *BSDs, with the only difference from it's base BSD being having the Windows GUI grafted on top of it and no source included.

The relevant passage in the BSD license (from http://www.freebsd.org/copyright/license.html ):

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

All advertising materials mentioning features or use of this software must display the following acknowledgement:

[ACKNOWLEDGEMENT DELETED FOR BREVITY --LR]

There are licenses that are the BSD license, less the advertising clause (it is the advertising clause that prevents BSD from being a free license according to the FSF), such as the MIT license. These licenses are the freest of all the licenses (short of public domain).

If you ever had any doubt...

[SlashChick]

...that Microsoft uses free software, I invite you to take a look at this.

In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)

Now type "help". Check out this line at the bottom of the output:

view FILE - sort an 'ls' output file and view it with pg

Uh, yeah. Oops.

Re:If you ever had any doubt...

[Gabey]

Actually, I think that's referring to the ls commands that you can give to nslookup:

ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)

-gps

Re:If you ever had any doubt...

[DeadMeat+(TM)]

C:\WINNT\system32>strings NSLOOKUP.EXE|grep Copyright
@(#) Copyright (c) 1985,1989 Regents of the University of California.

That answer your question?

Re:Um?

[garett_spencley]

The problem is a buffer overflow which is a lot more serious than a crash.

I apologize in advance if I'm being a little too trivial but I'm assuming that you are 100% non-technical just incase this post appeals to someone or some people who are.

When a program needs to temporarily store an ammount of data it uses what's called a buffer. This is just a segment of memory where it can store it's data.

A buffer overflow occurs when the buffer get's filled past it's allocated regions. So in other words let's say the programmer has set up a buffer that's 1024 bytes. An overflow is when the user fills that 1024 byte buffer with more than 1024 bytes.

What happens? Well ideally the extra data wouldn't get stored in memory at all but unfortunately computers don't work that way. Instead whatever is stored in memory AFTER the 1024 bytes gets overwritten.

So let's say the programmer had the following code in his buggy program.

buffer[1024] // set up a buffer that's 1024 bytes
read data, buffer // read data into buffer
do something

What the hacker has to do is input 1024 of garbage and then overwrite the memory with some other computer instruction. Like the instructions necessary to execute a shell.

You see when the buffer is overflown the "do something" instruction will get overwritten with whatever data the hacker puts into the buffer. If the program is running as root then when the "do something" instruction is overwritten with the instructions to execute a shell the hacker will have himself root access!

But it's even more serious than that becuase let's say the program is a web server running as nobody. Before the hacker exploits the buffer overflow he has no access. But he knows about this overflow so he overflow's it by sending apache a very long request containing the instructions to execute a shell. He has just gained "nobody" access to the system and from there he can figure out how to get root access.

The solution is for the programmer to make sure that the user is only entering in 1024 bytes of data at the most. Unfortunately many programs weren't written to do this.

I hope this explains to people why these bugs are more serious than "my system will crash".

--
Garett

It's NOT a buffer overflow!!!!!!

[Smallest]

it's a double-free problem. the two are totally different.

read all about it : http://www.gzip.org/zlib/advisory-2002-03-11.txt

-c

Re:mutatis mutandis

[afidel]

Well you seem to be implying that NT4 does not put the graphics code in the kernal, this is incorrect. This was one of the biggest "improvements" from nt 3.51 -> nt 4.0 is that the graphics subsystem got moved into the kernal for a speed increase. It is also (when coupled with crappy drivers) the second leading cause of nt instability after IIS =)

Re:None the less ...

[rjamestaylor]

Why wait for a bug? Scan for "signatures". That's how the use of BSD's TCP/IP stack was determined (that, and the "Regent" copyright).

Re:Which explains why MS is not attacked more

[FuzzieNorn]

Recent versions of Windows use a rewritten TCP/IP stack, so even if they did use the BSD stack for Win95/NT4/etc (which they almost definitely did, based on its behaviour), they aren't using it any more.

Re:BSD code in NT4 utils at least

[joelsherrill]

My machine has a bunch of stuff on it so a virgin
Win2K system MIGHT have different results but I
handchecked that the file's date matched the
install date on the machine. So CAVEAT EMPTOR...
a slightly fancier grep and some patience ...

find . -type f | while read f
do
strings "$f" | grep -i "Copyright " | grep -v Microsoft
test $? -eq 0 && echo $f
done

showed up Thomas Lane's open source JPEG work in multiple places, Mark H. Colburn's work in system32/pax.exe, Mark Adler's PNG work in at least system32/pngfilt.dll and a few more interesting cases.

system32/offfilt.dll has Mark Adler's inflate in it.

c:\Program Files\Common Files\Microsoft Shared\VGX appears to have zlib based upon this:

$ strings Program\ Files/Common\ Files/Microsoft\ Shared/VGX/vgx.dll | grep -i Copy
4,f deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
f,f inflate 1.1.3 Copyright 1995-1998 Mark Adler

And Adobe Acrobat PDFWriter also uses zlib per system32/spool/drivers/w32x86/2/pdfdd.dll.

This is far from exhaustive of 100% scientfic but a good starting point.

--joel

Re:notification issue

[csbruce]

I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

Unless I am missing my guess, I ran into this particular bug in zlib about a year ago and I e-mailed the people at the project address. They responded that they already knew about it and sent me the patch. So what exactly is it that happened recently? Did someone figure out a way to use the bug to crack a system and this set off all kinds of alarms? There should have been a zlib fix-up release a long time ago.

Microsoft NOT vulnerable to zlib bug!

[jpmorgan]

The security vulnerability is due to zlib trying to free the same section of memory twice. The glibc memory allocation routines aren't very smart, and will cause heap corruption if you try to do this. This heap corruption can be exploited.

The Microsoft runtime libraries have smarter memory allocation and deallocation - attempting to free the same area of memory twice does not result in heap corruption. Consequently the zlib bug isn't a security vulnerability in Windows.

Re:notification issue

The problem is that glibc doesn't handle the zlib bug properly, and the bug produces a buffer overflow.

So it's a bug in only Linux (which uses glibc) and all the hand waving here is an attempt to muddy the truth up.

The people who know their shit can figure it out in a few minutes. Then those in the know who are Linux advocates can wipe the egg off their face and get on with life.

The people who don't know shit, of course, will continue to run around trying to pretend it's not a Linux-specific security problem. The egg will dry on their faces.

Are they complying with the licence?

[alriddoch]

Reading up on the zlib licence, which is short and easy to understand, I find this clause:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

The way I read this, if software uses zlib code, then the authors of their software must not claim to have written the code. Microsoft are not obliged to acknowledge the zlib authors anywhere, but if they make a copyright statement saying that the code was written by Microsoft, then surely they are claiming that they wrote the zlib code in their product, and are therefor breaking this clause?

Does anyone know if Microsofts' copyright statements comply?

I am probably too late for this point to be discussed.