Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft, zlib, and Security Flaws

Posted by timothy on from the not-the-security-initiative-we-had-in-mind dept.

nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

14 of 470 comments (clear)

  1. Re:Just waiting for the press release... by Mr+Windows · · Score: 4, Interesting
    ISTR that MS are nominally in favour of open source, as long as it's not that nasty cancerous GPL open source. Now we see why: if they can use others' work without having to reciprocate, it makes life better for them (in the short term, that it).

    Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + release of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").

  2. Re:Seriously? Microsoft use open source code? by Jinky · · Score: 2, Interesting

    You'd be right :), starting with Win2k, and in WinXP, they're using basically Unix TCP/IP sockets. Must admit that it does work much better than Win9x for network connectivity.

  3. Debian? by DRO0 · · Score: 2, Interesting

    Naive question probably, but if zlib isn't GPL then does Debian use a different library and if so, is it affected by this issue?

  4. Re:Seriously? Microsoft use open source code? by Anonymous Coward · · Score: 1, Interesting

    I've seen this so often that it's worth a comment.

    The TCP/IP code in Windows NT is streams based - it was written originally by Spider Software in Edinburgh. It's a clean room implementation that does not have any BSD code in it (I know the original architect of it). And it isn't derived from the original Unix streams code - even the underlying streams layer was written from scratch. The same code is in use by many OEM's in embedded devices etc.

  5. Re:hrm... by IO+ERROR · · Score: 5, Interesting
    If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?


    Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.


    *bash MS* bash bash bash....it's popular right?


    It's popular, easy, and well-deserved in this case. So much for M$ paying attention to security. Someone in M$ should have known they used zlib code, exactly where it was, and gotten patches out in a reasonable timeframe. They didn't. Bash bash bash.

    --
    How am I supposed to fit a pithy, relevant quote into 120 characters?
  6. This might be considered a troll? by Anonymous Coward · · Score: 1, Interesting

    But perhaps that is why microsoft is so afraid to let the states in the antitrust case look at their code. If some one were to discovered they actually a lot of open source code, that would be a huge embarrasement.

  7. GPL is not about giving things away by pyrrho · · Score: 2, Interesting

    Microsoft is an old hand at using public domain stuff! They don't dislike it... like all companies they grew used to swallowing it up! It's even cheaper than buying QDOS was.

    No, the GPL is not about giving software away, that was already happening. It was about KEEPING software GIVEN AWAY.

    --

    -pyrrho

  8. Re:Seriously? Microsoft use open source code? by Anonymous Coward · · Score: 1, Interesting

    Why?

    Unless it's GPL infected it's not illegal to incorporate it.

    Plus, once the copyright-abolish fanatics have had their way, all the GPL licensed code (which is all protected by legal structures based on copyright law) will fall into Public Domain anyway.

  9. BSD code in NT4 utils at least by Cally · · Score: 3, Interesting

    Evidence uncovered last summer points to the Windows operating system borrowing some networking utilities and possibly parts of the TCP/IP stack, the core software that allows networking and Internet connectivity, from the open-source Unix variant FreeBSD.

    Theo de Raadt, a founder and project leader for another open-source Unix variant, OpenBSD, stressed that no conclusive proof exists, however. "I have asked repeatedly and never gotten proof," he said.


    Well it's easy to show that they use /some/ BSD
    code, at least. This is Cygwin / bash on NT4:


    andrew@INEGO(22:18:47)
    [path...] /WINNT/system32 $ grep -i regent *.EXE
    Binary file FINGER.EXE matches
    Binary file FTP.EXE matches
    Binary file RCP.EXE matches
    Binary file RSH.EXE matches
    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  10. Re:Win2k news thought... by Chris+Burke · · Score: 3, Interesting

    I think it would be better to take the -union- of the vulnerabilities across all Linux distributions. This would prevent duplicates being counted (if you did the operation correctly), but would give an idea for flaws that may exist in distros.

    Though really, that doesn't give you a good view, because if certain flaws only exist in certain distros, then you would be free from those flaws in another distro.

    And if you just took the max, that might show you that a certain distro is really bad for security, but not much about linux in general. If the max was much larger than the mean, then that would just mean you shouldn't get that distro.

    Probably the best is to just compare each version of windows and each distro separately, and you can then make a decision that way.

    --

    The enemies of Democracy are
  11. Re:hrm... by brettb · · Score: 2, Interesting

    Of course some ./er's will take the opportunity to bash Microsoft but the article itself isn't.
    The zlib library vulernabilty and how *nix based systems are affected has
    already been discussed on slashdot.

    This Cnet article references the previous Cnet article on the subject which speculated that since zlib is a programming library that could be used across platforms that other OS's application programs may be affected as well.

    I don't see this article as Microsoft bashing. It just adds a new slant to the previous article and confirms that *nix systems aren't the only ones affected.

    This is important information for those Microsoft admins out there who may not care about last weeks headline "Flaw Leaves Linux Computers Vulnerable". Maybe now they'll be keeping their eyes open for patches of their affected software

    .

  12. Then explain the "pg" part... by SlashChick · · Score: 4, Interesting

    ...since DOS doesn't have a command called "pg".

    --
    Simpli - Your source for San Jose dedicated servers and colocation!
  13. Re:hrm... by Black+Parrot · · Score: 3, Interesting


    > Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.

    Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities. The comparison is rarely so exact, and thus rarely so revealing.

    --
    Sheesh, evil *and* a jerk. -- Jade
  14. Re:If we can't see MS's source by thogard · · Score: 2, Interesting

    I suspect MS used quite a bit of GCC since version 5 of their C compiler had many of the some of the same optimization bugs as GCC. Anyone got access to the source for the old versions of MS C?