Microsoft, zlib, and Security Flaws

← Back to Stories (view on slashdot.org)

Microsoft, zlib, and Security Flaws

Posted by timothy on Thursday March 14, 2002 @09:46AM from the not-the-security-initiative-we-had-in-mind dept.

nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

7 of 470 comments (clear)

Re:If we can't see MS's source by Stonehand · 2002-03-14 09:57 · Score: 5, Informative

Quite a few people can, at universities and other sites. They just need to sign NDAs, that's all. Also, given that they take several hundred interns per year, and they aren't all fanatical Gates fans, there's a fair bit of opportunity for internal leaks as well.

--
Only the dead have seen the end of war.
InstallShield by sharkey · 2002-03-14 09:57 · Score: 5, Informative

InstallShield is written and published by a company named InstallShield, and has been for many years. It is not a "Microsoft technology", but rather a technology that has support for creating software installation routines for Windows, amongst other OSes.

--

--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
1. Re:InstallShield by ChrisDolan · 2002-03-14 10:50 · Score: 5, Funny
  
  Similarly, IE is not written by Microsoft either. It's alien technology. It was discovered by a MS coder who stumbled on a crashed spacecraft while hiking in the woods in the mid-90s. Using him as a vessel, the program infected the Windows codebase and has grown since then, digging it's tendrils deeper and deeper into the system.
  
  So when MS says they can't remove IE from Windows, it's true.
notification issue by ethereal · 2002-03-14 09:58 · Score: 5, Insightful

Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.
It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?
The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.

--
Your right to not believe: Americans United for Separation of Church and
1. Re:notification issue by garett_spencley · 2002-03-14 10:11 · Score: 5, Informative
  
  I don't see it as the zlib author's responsibility to notify everyone that uses their library.
  
  I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.
  
  Also the big problem with this security issue isn't programs that dynamically link to libz.so. Those are easy to fix because all you have to do is upgrade your zlib and they're automagically fixed.
  
  It's the programs that statically link the zlib library (meaning it gets copied right into the actual binary at compile time) that you have to worry about because an ldd won't show you that.
  
  Also many people use their own modified version of zlib (XFree86, rpm, rsync, the linux kernel etc.) and so those are very hard to catch as well.
  
  Florian Weimer wrote a perl script which will check for binaries on your system that are statically linked. You can read his post to Bugtraq here.
  
  --
  Garett
Re:hrm... by IO+ERROR · 2002-03-14 10:07 · Score: 5, Interesting

If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?

Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.

*bash MS* bash bash bash....it's popular right?

It's popular, easy, and well-deserved in this case. So much for M$ paying attention to security. Someone in M$ should have known they used zlib code, exactly where it was, and gotten patches out in a reasonable timeframe. They didn't. Bash bash bash.

--
How am I supposed to fit a pithy, relevant quote into 120 characters?
If you ever had any doubt... by SlashChick · 2002-03-14 10:16 · Score: 5, Informative

...that Microsoft uses free software, I invite you to take a look at this.

In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)

Now type "help". Check out this line at the bottom of the output:

view FILE - sort an 'ls' output file and view it with pg

Uh, yeah. Oops.

--
Simpli - Your source for San Jose dedicated servers and colocation!