Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft, zlib, and Security Flaws

Posted by timothy on from the not-the-security-initiative-we-had-in-mind dept.

nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

30 of 470 comments (clear)

  1. Just waiting for the press release... by Nonesuch · · Score: 4, Funny

    Any bets on how long before Microsoft issues a press release noting that this is yet another risk of using evil open source and open standards?

    --

    I do not deploy Linux. Ever.
    1. Re:Just waiting for the press release... by Mr+Windows · · Score: 4, Interesting
      ISTR that MS are nominally in favour of open source, as long as it's not that nasty cancerous GPL open source. Now we see why: if they can use others' work without having to reciprocate, it makes life better for them (in the short term, that it).

      Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + release of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").

    2. Re:Just waiting for the press release... by jmu1 · · Score: 3, Insightful
      I'll bite, but only for a nibble.

      The way I see it, Microsoft can't complain b/c zlib will have a fix LONG before they have even thought about patching. They won't have to do near as much work to find the fix... they'll just rebuild.

    3. Re:Just waiting for the press release... by jedidiah · · Score: 3, Insightful

      This bug doesn't alter anything really. This situation is more a success of the Bazaar development model rather than one of it's failure. Due to wide availability of sourcecode, a VAR descovered an esoteric bug while providing tech support for another program.

      Microsoft can hurl propaganda any day it likes.

      I don't think this situation really gives them a "leg up" in that sort of endeavor.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    4. Re:Just waiting for the press release... by grub · · Score: 3, Insightful



      actually i'm waiting for all the open source hypocrits to issue a press release noting that this is yet another risk of using microsoft products

      The patches for many of the open source products are already out with more to come. Where are Microsoft's? There is a risk.

      --
      Trolling is a art,
  2. Re:If we can't see MS's source by Stonehand · · Score: 5, Informative

    Quite a few people can, at universities and other sites. They just need to sign NDAs, that's all. Also, given that they take several hundred interns per year, and they aren't all fanatical Gates fans, there's a fair bit of opportunity for internal leaks as well.

    --
    Only the dead have seen the end of war.
  3. InstallShield by sharkey · · Score: 5, Informative

    InstallShield is written and published by a company named InstallShield, and has been for many years. It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
    1. Re:InstallShield by ChrisDolan · · Score: 5, Funny

      Similarly, IE is not written by Microsoft either. It's alien technology. It was discovered by a MS coder who stumbled on a crashed spacecraft while hiking in the woods in the mid-90s. Using him as a vessel, the program infected the Windows codebase and has grown since then, digging it's tendrils deeper and deeper into the system.

      So when MS says they can't remove IE from Windows, it's true.

  4. notification issue by ethereal · · Score: 5, Insightful

    Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.

    It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?

    The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.

    --

    Your right to not believe: Americans United for Separation of Church and

    1. Re:notification issue by garett_spencley · · Score: 5, Informative

      I don't see it as the zlib author's responsibility to notify everyone that uses their library.

      I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

      Also the big problem with this security issue isn't programs that dynamically link to libz.so. Those are easy to fix because all you have to do is upgrade your zlib and they're automagically fixed.

      It's the programs that statically link the zlib library (meaning it gets copied right into the actual binary at compile time) that you have to worry about because an ldd won't show you that.

      Also many people use their own modified version of zlib (XFree86, rpm, rsync, the linux kernel etc.) and so those are very hard to catch as well.

      Florian Weimer wrote a perl script which will check for binaries on your system that are statically linked. You can read his post to Bugtraq here.

      --
      Garett

    2. Re:notification issue by csbruce · · Score: 3, Informative

      I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.

      Unless I am missing my guess, I ran into this particular bug in zlib about a year ago and I e-mailed the people at the project address. They responded that they already knew about it and sent me the patch. So what exactly is it that happened recently? Did someone figure out a way to use the bug to crack a system and this set off all kinds of alarms? There should have been a zlib fix-up release a long time ago.

  5. Now what would have been interesting... by borgquite · · Score: 4, Funny

    is if when they released the patch for the security flaw they made the patch GPL... just imagine Microsoft having to recode all that stuff for themselves :)

    --
    ' Ore stabit fortis a fine placet ore stat '
    - found on a park bench
  6. Re:Win2k news thought... by ghostlibrary · · Score: 4, Informative

    Argh! Bad statistics alert!

    "vulnerabilities found in Windows and all Linux flavors combined are almost the same"

    So if I am running RedHat, Mandrake, SUSE, and Debian simultaneously, I have the same number of flaws as a single run of Win2k?

    They should either use the average (among linux dists) or the max (ditto), vs Win. Or sum across all current Win flavors (ME, Win2k. maybe NT) to compare against all linux flavors (summed).

    Argh!

    --
    A.
  7. Re:hrm... by IO+ERROR · · Score: 5, Interesting
    If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?


    Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.


    *bash MS* bash bash bash....it's popular right?


    It's popular, easy, and well-deserved in this case. So much for M$ paying attention to security. Someone in M$ should have known they used zlib code, exactly where it was, and gotten patches out in a reasonable timeframe. They didn't. Bash bash bash.

    --
    How am I supposed to fit a pithy, relevant quote into 120 characters?
  8. Re:Seriously? Microsoft use open source code? by leviramsey · · Score: 4, Informative
    Either way, browsing other competitor products code whether its free, open GPL or whatever is gonna be risky for a business in legal terms.

    How is reading, even verbatim copying, of BSD-licensed code risky in legal terms. The license explicitly allows incorporation into any type of software (commercial, open, or free). Microsoft could put out their own version of one of the *BSDs, with the only difference from it's base BSD being having the Windows GUI grafted on top of it and no source included.

    The relevant passage in the BSD license (from http://www.freebsd.org/copyright/license.html ):

    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

    Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

    Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

    All advertising materials mentioning features or use of this software must display the following acknowledgement:

    [ACKNOWLEDGEMENT DELETED FOR BREVITY --LR]

    There are licenses that are the BSD license, less the advertising clause (it is the advertising clause that prevents BSD from being a free license according to the FSF), such as the MIT license. These licenses are the freest of all the licenses (short of public domain).

  9. Re:oh goody by pyrrho · · Score: 3, Funny

    > have never spent time with Windows 2000.

    I'm sure this is a typo. You must have meant "did time".

    --

    -pyrrho

  10. If you ever had any doubt... by SlashChick · · Score: 5, Informative

    ...that Microsoft uses free software, I invite you to take a look at this.

    In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)

    Now type "help". Check out this line at the bottom of the output:

    view FILE - sort an 'ls' output file and view it with pg

    Uh, yeah. Oops.

    --
    Simpli - Your source for San Jose dedicated servers and colocation!
    1. Re:If you ever had any doubt... by Gabey · · Score: 3, Informative

      Actually, I think that's referring to the ls commands that you can give to nslookup:

      ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)

      -gps

    2. Re:If you ever had any doubt... by DeadMeat+(TM) · · Score: 4, Informative

      C:\WINNT\system32>strings NSLOOKUP.EXE|grep Copyright
      @(#) Copyright (c) 1985,1989 Regents of the University of California.
      That answer your question?
  11. BSD code in NT4 utils at least by Cally · · Score: 3, Interesting

    Evidence uncovered last summer points to the Windows operating system borrowing some networking utilities and possibly parts of the TCP/IP stack, the core software that allows networking and Internet connectivity, from the open-source Unix variant FreeBSD.

    Theo de Raadt, a founder and project leader for another open-source Unix variant, OpenBSD, stressed that no conclusive proof exists, however. "I have asked repeatedly and never gotten proof," he said.


    Well it's easy to show that they use /some/ BSD
    code, at least. This is Cygwin / bash on NT4:


    andrew@INEGO(22:18:47)
    [path...] /WINNT/system32 $ grep -i regent *.EXE
    Binary file FINGER.EXE matches
    Binary file FTP.EXE matches
    Binary file RCP.EXE matches
    Binary file RSH.EXE matches
    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  12. Re:Win2k news thought... by Chris+Burke · · Score: 3, Interesting

    I think it would be better to take the -union- of the vulnerabilities across all Linux distributions. This would prevent duplicates being counted (if you did the operation correctly), but would give an idea for flaws that may exist in distros.

    Though really, that doesn't give you a good view, because if certain flaws only exist in certain distros, then you would be free from those flaws in another distro.

    And if you just took the max, that might show you that a certain distro is really bad for security, but not much about linux in general. If the max was much larger than the mean, then that would just mean you shouldn't get that distro.

    Probably the best is to just compare each version of windows and each distro separately, and you can then make a decision that way.

    --

    The enemies of Democracy are
  13. Re:Um? by garett_spencley · · Score: 4, Informative

    The problem is a buffer overflow which is a lot more serious than a crash.

    I apologize in advance if I'm being a little too trivial but I'm assuming that you are 100% non-technical just incase this post appeals to someone or some people who are.

    When a program needs to temporarily store an ammount of data it uses what's called a buffer. This is just a segment of memory where it can store it's data.

    A buffer overflow occurs when the buffer get's filled past it's allocated regions. So in other words let's say the programmer has set up a buffer that's 1024 bytes. An overflow is when the user fills that 1024 byte buffer with more than 1024 bytes.

    What happens? Well ideally the extra data wouldn't get stored in memory at all but unfortunately computers don't work that way. Instead whatever is stored in memory AFTER the 1024 bytes gets overwritten.

    So let's say the programmer had the following code in his buggy program.

    buffer[1024] // set up a buffer that's 1024 bytes
    read data, buffer // read data into buffer
    do something

    What the hacker has to do is input 1024 of garbage and then overwrite the memory with some other computer instruction. Like the instructions necessary to execute a shell.

    You see when the buffer is overflown the "do something" instruction will get overwritten with whatever data the hacker puts into the buffer. If the program is running as root then when the "do something" instruction is overwritten with the instructions to execute a shell the hacker will have himself root access!

    But it's even more serious than that becuase let's say the program is a web server running as nobody. Before the hacker exploits the buffer overflow he has no access. But he knows about this overflow so he overflow's it by sending apache a very long request containing the instructions to execute a shell. He has just gained "nobody" access to the system and from there he can figure out how to get root access.

    The solution is for the programmer to make sure that the user is only entering in 1024 bytes of data at the most. Unfortunately many programs weren't written to do this.

    I hope this explains to people why these bugs are more serious than "my system will crash".

    --
    Garett

  14. change it by geekoid · · Score: 3, Insightful

    MS want to bve able to change there EULA after you've bought the product, I'd love to see the zlib people GPL theres, then sue MS when they don't comply.
    This would force MS eithe to pay up, or go to court and fight against the very thing they want.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  15. It's NOT a buffer overflow!!!!!! by Smallest · · Score: 3, Informative

    it's a double-free problem. the two are totally different.

    read all about it : http://www.gzip.org/zlib/advisory-2002-03-11.txt

    -c

    --
    I have discovered a truly remarkable proof which this margin is too small to contain.
  16. Then explain the "pg" part... by SlashChick · · Score: 4, Interesting

    ...since DOS doesn't have a command called "pg".

    --
    Simpli - Your source for San Jose dedicated servers and colocation!
  17. Re:hrm... by Black+Parrot · · Score: 3, Interesting


    > Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.

    Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities. The comparison is rarely so exact, and thus rarely so revealing.

    --
    Sheesh, evil *and* a jerk. -- Jade
  18. Microsoft's use of zlib is not the issue by ahde · · Score: 4, Insightful

    Its stupid to bring up the GPL or other open source licenses or argue about whether Microsoft is stealing code. I'm glad they use zlib. I'm glad they used portions of the BSD tcp/ip stack. I'm glad they decided to support (to the best of their ability) standards like C and HTML. I'm glad I don't have to depend on Microsoft anymore. But if they hadn't used open source programs I'd have never been exposed to other options except for the likes of Novell and Sun.

    The real issue is that there is now a direct comparison on a shared bug (for which no exploit exists yet, let's not forget -- it's still theoretical) in both the free and proprietary systems.

    You can see the cooperation and disclosure *and* resolution on the open source side. Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No. That's not the issue either.

    The great benefit that comes to open source from this is that now you can observe the different security and development models in action from a purely objective point of view.

    Fortunately, for Microsoft and their customers at least, this is not so serious a flaw that it will likely be exploited before they can get fixes out -- if they really want to. Even more fortunately for Microsoft, there are already enough vulnerabilities with easy and existing exploits, that the zlib vulnerabilities will probably be a non-issue. Hackers will tend to follow the path of least resistance.

    1. Re:Microsoft's use of zlib is not the issue by WNight · · Score: 3

      The issue, imho, isn't that MS uses open-source. That's what it's for after all. The issue is that MS uses open-source for its own advantage, while seeking to hurt the open-source movement whenever they do something that's not to MS's liking.

      Basically, while we shouldn't believe what they say, we should force them to act as if they do.

      Their PR flack recently said that OS software costs society by not hiring programmers or contributing to tax money. So they should immediately rip out all the open source software they use and hire programmers to recreate it.

      If they don't, can they really expect to have any credibility left?

  19. HABBA FUNGULE by lkaos · · Score: 4, Insightful

    It is NOT a buffer overflow. Every is happy that your karma whoring because you know what a 'buffer overflow' is but your also helping spread this FUD.

    The problem in zlib is a double free. It is only, and I repeat, only theoritically possible to exploit this in the same way that it is theoritically possible to exploit any undefined behavior.

    Please don't counter with a traceroute exploit being an example of a double free because it wasn't. That was an example of free a garbage random data. There is quite a difference.

    At any rate, please think before you post. I cannot believe everyone is making such a fuss over this. It's funny because XP's whole TCP/IP had a remote root hole in it and less noise was made here then is being made now over something that is only theoritically possible to exploit and also not yet proven to be reproducable.

    Right now, this 'security issue' is entirely theoritical.

    --
    int func(int a);
    func((b += 3, b));
  20. Re:Geez by SquierStrat · · Score: 3, Insightful

    uh...I was referring to the fact that microsoft is hypocritical in that they criticize open-source software constantly yet, they use it.

    I'm fully aware that it's a problem that was first found on the unices!

    Which is actually something to be proud of. Microsoft and all of it's money didn't (while borrowing the code) find the security problem.

    How does BSD prevent this problem where Linux can not? I'm genuinely curious as I am not a BSD user.

    --
    Derek Greene