Microsoft, zlib, and Security Flaws 497
nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."
notification issue (Score:5, Insightful)
Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.
It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?
The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.
Re:Seriously? Microsoft use open source code? (Score:2, Insightful)
Depends on how you look at it. If there were N completely independent TCP/IP implementations out there, wouldn't there be N times as many bugs (each one affecting 1/N as many systems, on average). Homogeneity means only one codebase to debug and fix. But of course when a bug is found, it affects everyone.
Re:Just waiting for the press release... (Score:3, Insightful)
The way I see it, Microsoft can't complain b/c zlib will have a fix LONG before they have even thought about patching. They won't have to do near as much work to find the fix... they'll just rebuild.
Which explains why MS is not attacked more (Score:1, Insightful)
They currently use the TCP Stack from BSD, they redesigned SMB services based on Samba (they had to cold room it due to GPL). This helps explain how MS is getting faster and less cracks.
Of course, this also explains why they oppose GPL.
change it (Score:3, Insightful)
This would force MS eithe to pay up, or go to court and fight against the very thing they want.
I didn't know this! (Score:3, Insightful)
One of the other interesting things about the GPL is the side effect it has of self promotion.
That is, I've gotten stuff from vendors using GPL software and you can tell, because their distributions contain a little src subdirectory with the GPL'd code in it.
With the other open software licenses, there's not such a legal provision enforcing source distribution, and, hence, no advertising that the particular piece of software was used in the product.
I bemoan the fact that much good public software and authors have not received their due credit because companies (in this particular instance, MS) have been able to incorporate their good work and not only not given them any money, but no widespread recognition of their contribution.
Double-free is safe with some mallocs (Score:5, Insightful)
Microsoft's use of zlib is not the issue (Score:4, Insightful)
The real issue is that there is now a direct comparison on a shared bug (for which no exploit exists yet, let's not forget -- it's still theoretical) in both the free and proprietary systems.
You can see the cooperation and disclosure *and* resolution on the open source side. Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No. That's not the issue either.
The great benefit that comes to open source from this is that now you can observe the different security and development models in action from a purely objective point of view.
Fortunately, for Microsoft and their customers at least, this is not so serious a flaw that it will likely be exploited before they can get fixes out -- if they really want to. Even more fortunately for Microsoft, there are already enough vulnerabilities with easy and existing exploits, that the zlib vulnerabilities will probably be a non-issue. Hackers will tend to follow the path of least resistance.
Re:If we can't see MS's source (Score:2, Insightful)
"Craig Mundie, senior vice president of Microsoft, said last May. '(There) is a real problem in the licensing model that many open-source software products employ: the General Public License.'"
This really makes you wonder if Microsoft's stance against the GPL is really about getting more code from the open source community to use in their own projects. If there was a public backlash against the GPL, the community may feel pressure to change to other license models, and Microsoft could get more of code for their projects written for free.
HABBA FUNGULE (Score:4, Insightful)
The problem in zlib is a double free. It is only, and I repeat, only theoritically possible to exploit this in the same way that it is theoritically possible to exploit any undefined behavior.
Please don't counter with a traceroute exploit being an example of a double free because it wasn't. That was an example of free a garbage random data. There is quite a difference.
At any rate, please think before you post. I cannot believe everyone is making such a fuss over this. It's funny because XP's whole TCP/IP had a remote root hole in it and less noise was made here then is being made now over something that is only theoritically possible to exploit and also not yet proven to be reproducable.
Right now, this 'security issue' is entirely theoritical.
Re:Just waiting for the press release... (Score:3, Insightful)
Microsoft can hurl propaganda any day it likes.
I don't think this situation really gives them a "leg up" in that sort of endeavor.
Re:Double-free is safe with some mallocs (Score:3, Insightful)
Re:Geez (Score:3, Insightful)
I'm fully aware that it's a problem that was first found on the unices!
Which is actually something to be proud of. Microsoft and all of it's money didn't (while borrowing the code) find the security problem.
How does BSD prevent this problem where Linux can not? I'm genuinely curious as I am not a BSD user.
Re:If we can't see MS's source (Score:2, Insightful)
Re:hrm... (Score:2, Insightful)
But, that wouldn't be taking advantage of the "healthy eco-system of free and proprietary code" that Bill likes to tout so much.
Funny, MS is a big black hole, sucking in all the advantages of any Open Source they can find for their products, and, AFAIK, never producing any Open Source for the community and yet they have the nerve to whine about the "pac-man nature" of the GPL.
Re:Just waiting for the press release... (Score:3, Insightful)
actually i'm waiting for all the open source hypocrits to issue a press release noting that this is yet another risk of using microsoft products
The patches for many of the open source products are already out with more to come. Where are Microsoft's? There is a risk.
Re:Microsoft's use of zlib is not the issue (Score:2, Insightful)
There is a free compression library, zlib, which is an asset to the public (and proprietary software business, because of it being BSD licensed and not GPL).
The fact that people spent their own time on zlib is a liability. Their time is gone. They have nothing other than free source code which gains them nothing more than the ability to use that source code. They were not rewarded financially, nor was anyone else able to be rewarded financially for that particular program (not that is matters too much, since there are many other compression tools).
Society does not move forward without using other's tools, but society does not move at all without monetary incentive. There is a reason for money, and it is not for "evil" purposes despite how bad
Do you really want "starving programmer" to become an actual phrase, much like "starving artist" or "starving musician?" This is what will happen, if FSF has its way.
Re:zlib demonstrates the strength of Linux securit (Score:1, Insightful)
I am really tired of the 'few eyes/many eyes' meme and how it's turned into a dogma.
Sorry, Eric Raymond didn't reinvent Software Engineering when he wrote his diatribe. There are many other far more experienced people out there doing a better job, some not even based on crappy neo-pagan metaphors and matchbook-cover political economy.