Microsoft, zlib, and Security Flaws

nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."

notification issue

[ethereal]

Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.

It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?

The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.

Re:Seriously? Microsoft use open source code?

[axlrosen]

Of course, having everything derive code from the same source is a risk

Depends on how you look at it. If there were N completely independent TCP/IP implementations out there, wouldn't there be N times as many bugs (each one affecting 1/N as many systems, on average). Homogeneity means only one codebase to debug and fix. But of course when a bug is found, it affects everyone.

Re:Just waiting for the press release...

[jmu1]

I'll bite, but only for a nibble.

The way I see it, Microsoft can't complain b/c zlib will have a fix LONG before they have even thought about patching. They won't have to do near as much work to find the fix... they'll just rebuild.

Which explains why MS is not attacked more

[Anonymous Coward]

As long as MS makes heavier use of OSS, they will be less prone to attacks.
They currently use the TCP Stack from BSD, they redesigned SMB services based on Samba (they had to cold room it due to GPL). This helps explain how MS is getting faster and less cracks.
Of course, this also explains why they oppose GPL.

change it

[geekoid]

MS want to bve able to change there EULA after you've bought the product, I'd love to see the zlib people GPL theres, then sue MS when they don't comply.
This would force MS eithe to pay up, or go to court and fight against the very thing they want.

I didn't know this!

[4of12]

One of the other interesting things about the GPL is the side effect it has of self promotion.

That is, I've gotten stuff from vendors using GPL software and you can tell, because their distributions contain a little src subdirectory with the GPL'd code in it.

With the other open software licenses, there's not such a legal provision enforcing source distribution, and, hence, no advertising that the particular piece of software was used in the product.

I bemoan the fact that much good public software and authors have not received their due credit because companies (in this particular instance, MS) have been able to incorporate their good work and not only not given them any money, but no widespread recognition of their contribution.

Double-free is safe with some mallocs

[sdowney]

Linux's glibc has problems with double free's, that is calling free(3) on the same ptr twice causes arena corruption. As I recall, this isn't an issue for Microsoft's C library, msvcrt, so this may not be an issue for MS. If anyone is surprised that they're using zlib, don't be. Zlib's license encourages commercial adoption. This is a good thing, because it encourages wider adoption of the compression technique, and makes sure that compatibility is maintained. TCP/IP became widespread for the same reason. The BSD implementation was freely available for other Unix vendors to incorporate in their products.

Microsoft's use of zlib is not the issue

[ahde]

Its stupid to bring up the GPL or other open source licenses or argue about whether Microsoft is stealing code. I'm glad they use zlib. I'm glad they used portions of the BSD tcp/ip stack. I'm glad they decided to support (to the best of their ability) standards like C and HTML. I'm glad I don't have to depend on Microsoft anymore. But if they hadn't used open source programs I'd have never been exposed to other options except for the likes of Novell and Sun.

The real issue is that there is now a direct comparison on a shared bug (for which no exploit exists yet, let's not forget -- it's still theoretical) in both the free and proprietary systems.

You can see the cooperation and disclosure *and* resolution on the open source side. Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No. That's not the issue either.

The great benefit that comes to open source from this is that now you can observe the different security and development models in action from a purely objective point of view.

Fortunately, for Microsoft and their customers at least, this is not so serious a flaw that it will likely be exploited before they can get fixes out -- if they really want to. Even more fortunately for Microsoft, there are already enough vulnerabilities with easy and existing exploits, that the zlib vulnerabilities will probably be a non-issue. Hackers will tend to follow the path of least resistance.

Re:If we can't see MS's source

[panaceaa]

"Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products."

"Craig Mundie, senior vice president of Microsoft, said last May. '(There) is a real problem in the licensing model that many open-source software products employ: the General Public License.'"

This really makes you wonder if Microsoft's stance against the GPL is really about getting more code from the open source community to use in their own projects. If there was a public backlash against the GPL, the community may feel pressure to change to other license models, and Microsoft could get more of code for their projects written for free.

HABBA FUNGULE

[lkaos]

It is NOT a buffer overflow. Every is happy that your karma whoring because you know what a 'buffer overflow' is but your also helping spread this FUD.

The problem in zlib is a double free. It is only, and I repeat, only theoritically possible to exploit this in the same way that it is theoritically possible to exploit any undefined behavior.

Please don't counter with a traceroute exploit being an example of a double free because it wasn't. That was an example of free a garbage random data. There is quite a difference.

At any rate, please think before you post. I cannot believe everyone is making such a fuss over this. It's funny because XP's whole TCP/IP had a remote root hole in it and less noise was made here then is being made now over something that is only theoritically possible to exploit and also not yet proven to be reproducable.

Right now, this 'security issue' is entirely theoritical.

Re:Just waiting for the press release...

[jedidiah]

This bug doesn't alter anything really. This situation is more a success of the Bazaar development model rather than one of it's failure. Due to wide availability of sourcecode, a VAR descovered an esoteric bug while providing tech support for another program.

Microsoft can hurl propaganda any day it likes.

I don't think this situation really gives them a "leg up" in that sort of endeavor.

Re:Double-free is safe with some mallocs

[Florian Weimer]

A few years ago, when I was following Microsoft Windows programming issues more closely, there were several (!) vendors selling alternative malloc()/free() implementations because the Microsoft one only offered poor performance. So it's not clear at all whether Microsoft Windows programs are vulnerable or not.

Re:Geez

[SquierStrat]

uh...I was referring to the fact that microsoft is hypocritical in that they criticize open-source software constantly yet, they use it.

I'm fully aware that it's a problem that was first found on the unices!

Which is actually something to be proud of. Microsoft and all of it's money didn't (while borrowing the code) find the security problem.

How does BSD prevent this problem where Linux can not? I'm genuinely curious as I am not a BSD user.

Re:If we can't see MS's source

[MarkLR]

Won't giving the source code to a university be considered releasing it? It would be fairly easy for someone with access to the code at one of these universities to report if the code contains the zlib copyright.

Re:hrm...

[JordanH]

• Are they not capabile of writing their own zlib?

But, that wouldn't be taking advantage of the "healthy eco-system of free and proprietary code" that Bill likes to tout so much.

Funny, MS is a big black hole, sucking in all the advantages of any Open Source they can find for their products, and, AFAIK, never producing any Open Source for the community and yet they have the nerve to whine about the "pac-man nature" of the GPL.

Re:Just waiting for the press release...

[grub]

actually i'm waiting for all the open source hypocrits to issue a press release noting that this is yet another risk of using microsoft products

The patches for many of the open source products are already out with more to come. Where are Microsoft's? There is a risk.

Re:Microsoft's use of zlib is not the issue

[reflective recursion]

Their PR flack recently said that OS software costs society by not hiring programmers or contributing to tax money. So they should immediately rip out all the open source software they use and hire programmers to recreate it.

Erm. Your logic is broken to me. Why don't we examine this:

There is a free compression library, zlib, which is an asset to the public (and proprietary software business, because of it being BSD licensed and not GPL).

The fact that people spent their own time on zlib is a liability. Their time is gone. They have nothing other than free source code which gains them nothing more than the ability to use that source code. They were not rewarded financially, nor was anyone else able to be rewarded financially for that particular program (not that is matters too much, since there are many other compression tools).

Society does not move forward without using other's tools, but society does not move at all without monetary incentive. There is a reason for money, and it is not for "evil" purposes despite how bad /. readers believe it to be. Throwing out software because of how it was created is plain ignorance and wasteful. There are more useful things to be done than paying someone to rewrite a compression library.

Do you really want "starving programmer" to become an actual phrase, much like "starving artist" or "starving musician?" This is what will happen, if FSF has its way.

Re:zlib demonstrates the strength of Linux securit

[Anonymous Coward]

Sorry. There are eye and there are eyes. Clearly this demonstrates that just throwing it out into the world and hoping that eyes at random will find the bug isn't a foolproof strategy.

I am really tired of the 'few eyes/many eyes' meme and how it's turned into a dogma.

Sorry, Eric Raymond didn't reinvent Software Engineering when he wrote his diatribe. There are many other far more experienced people out there doing a better job, some not even based on crappy neo-pagan metaphors and matchbook-cover political economy.