Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft, zlib, and Security Flaws

Posted by timothy on from the not-the-security-initiative-we-had-in-mind dept.

nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

4 of 470 comments (clear)

  1. Re:If we can't see MS's source by Stonehand · · Score: 5, Informative

    Quite a few people can, at universities and other sites. They just need to sign NDAs, that's all. Also, given that they take several hundred interns per year, and they aren't all fanatical Gates fans, there's a fair bit of opportunity for internal leaks as well.

    --
    Only the dead have seen the end of war.
  2. InstallShield by sharkey · · Score: 5, Informative

    InstallShield is written and published by a company named InstallShield, and has been for many years. It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  3. Re:notification issue by garett_spencley · · Score: 5, Informative

    I don't see it as the zlib author's responsibility to notify everyone that uses their library.

    I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

    Also the big problem with this security issue isn't programs that dynamically link to libz.so. Those are easy to fix because all you have to do is upgrade your zlib and they're automagically fixed.

    It's the programs that statically link the zlib library (meaning it gets copied right into the actual binary at compile time) that you have to worry about because an ldd won't show you that.

    Also many people use their own modified version of zlib (XFree86, rpm, rsync, the linux kernel etc.) and so those are very hard to catch as well.

    Florian Weimer wrote a perl script which will check for binaries on your system that are statically linked. You can read his post to Bugtraq here.

    --
    Garett

  4. If you ever had any doubt... by SlashChick · · Score: 5, Informative

    ...that Microsoft uses free software, I invite you to take a look at this.

    In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)

    Now type "help". Check out this line at the bottom of the output:

    view FILE - sort an 'ls' output file and view it with pg

    Uh, yeah. Oops.

    --
    Simpli - Your source for San Jose dedicated servers and colocation!