Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Microsoft, zlib, and Security Flaws 497

Posted by timothy from the not-the-security-initiative-we-had-in-mind dept.
nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."
This discussion has been archived. No new comments can be posted.

Microsoft, zlib, and Security Flaws More

Microsoft, zlib, and Security Flaws

Comments Filter:

  • Re:Just waiting for the press release... (Score:4, Interesting)

    by Mr Windows ( 91218 ) on Thursday March 14, 2002 @05:55PM (#3164720)
    ISTR that MS are nominally in favour of open source, as long as it's not that nasty cancerous GPL open source. Now we see why: if they can use others' work without having to reciprocate, it makes life better for them (in the short term, that it).

    Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + release of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").

  • Re:Seriously? Microsoft use open source code? (Score:2, Interesting)

    by Jinky ( 565098 ) <jinky.hush@com> on Thursday March 14, 2002 @05:56PM (#3164725) Journal
    You'd be right :), starting with Win2k, and in WinXP, they're using basically Unix TCP/IP sockets. Must admit that it does work much better than Win9x for network connectivity.

  • Debian? (Score:2, Interesting)

    by DRO0 ( 252117 ) on Thursday March 14, 2002 @06:00PM (#3164757)
    Naive question probably, but if zlib isn't GPL then does Debian use a different library and if so, is it affected by this issue?

  • Re:Seriously? Microsoft use open source code? (Score:1, Interesting)

    by Anonymous Coward on Thursday March 14, 2002 @06:06PM (#3164815)
    I've seen this so often that it's worth a comment.

    The TCP/IP code in Windows NT is streams based - it was written originally by Spider Software in Edinburgh. It's a clean room implementation that does not have any BSD code in it (I know the original architect of it). And it isn't derived from the original Unix streams code - even the underlying streams layer was written from scratch. The same code is in use by many OEM's in embedded devices etc.

  • Re:hrm... (Score:5, Interesting)

    by IO ERROR ( 128968 ) <error@ioe[ ]r.us ['rro' in gap]> on Thursday March 14, 2002 @06:07PM (#3164821) Homepage Journal
    If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?


    Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.


    *bash MS* bash bash bash....it's popular right?


    It's popular, easy, and well-deserved in this case. So much for M$ paying attention to security. Someone in M$ should have known they used zlib code, exactly where it was, and gotten patches out in a reasonable timeframe. They didn't. Bash bash bash.

  • This might be considered a troll? (Score:1, Interesting)

    by Anonymous Coward on Thursday March 14, 2002 @06:08PM (#3164822)
    But perhaps that is why microsoft is so afraid to let the states in the antitrust case look at their code. If some one were to discovered they actually a lot of open source code, that would be a huge embarrasement.

  • GPL is not about giving things away (Score:2, Interesting)

    by pyrrho ( 167252 ) on Thursday March 14, 2002 @06:09PM (#3164834) Journal
    Microsoft is an old hand at using public domain stuff! They don't dislike it... like all companies they grew used to swallowing it up! It's even cheaper than buying QDOS was.

    No, the GPL is not about giving software away, that was already happening. It was about KEEPING software GIVEN AWAY.

  • Re:Seriously? Microsoft use open source code? (Score:1, Interesting)

    by Anonymous Coward on Thursday March 14, 2002 @06:12PM (#3164855)
    Why?

    Unless it's GPL infected it's not illegal to incorporate it.

    Plus, once the copyright-abolish fanatics have had their way, all the GPL licensed code (which is all protected by legal structures based on copyright law) will fall into Public Domain anyway.

  • BSD code in NT4 utils at least (Score:3, Interesting)

    by Cally ( 10873 ) on Thursday March 14, 2002 @06:18PM (#3164909) Homepage

    Evidence uncovered last summer points to the Windows operating system borrowing some networking utilities and possibly parts of the TCP/IP stack, the core software that allows networking and Internet connectivity, from the open-source Unix variant FreeBSD.

    Theo de Raadt, a founder and project leader for another open-source Unix variant, OpenBSD, stressed that no conclusive proof exists, however. "I have asked repeatedly and never gotten proof," he said.


    Well it's easy to show that they use /some/ BSD
    code, at least. This is Cygwin / bash on NT4:


    andrew@INEGO(22:18:47)
    [path...] /WINNT/system32 $ grep -i regent *.EXE
    Binary file FINGER.EXE matches
    Binary file FTP.EXE matches
    Binary file RCP.EXE matches
    Binary file RSH.EXE matches

  • Re:Win2k news thought... (Score:3, Interesting)

    by Chris Burke ( 6130 ) on Thursday March 14, 2002 @06:22PM (#3164949) Homepage
    I think it would be better to take the -union- of the vulnerabilities across all Linux distributions. This would prevent duplicates being counted (if you did the operation correctly), but would give an idea for flaws that may exist in distros.

    Though really, that doesn't give you a good view, because if certain flaws only exist in certain distros, then you would be free from those flaws in another distro.

    And if you just took the max, that might show you that a certain distro is really bad for security, but not much about linux in general. If the max was much larger than the mean, then that would just mean you shouldn't get that distro.

    Probably the best is to just compare each version of windows and each distro separately, and you can then make a decision that way.

  • Re:hrm... (Score:2, Interesting)

    by brettb ( 64079 ) on Thursday March 14, 2002 @06:41PM (#3165073)
    Of course some ./er's will take the opportunity to bash Microsoft but the article itself isn't.
    The zlib library vulernabilty and how *nix based systems are affected has [slashdot.org]
    already been discussed on slashdot.

    This Cnet article references the previous Cnet article [com.com] on the subject which speculated that since zlib is a programming library that could be used across platforms that other OS's application programs may be affected as well.

    I don't see this article as Microsoft bashing. It just adds a new slant to the previous article and confirms that *nix systems aren't the only ones affected.

    This is important information for those Microsoft admins out there who may not care about last weeks headline "Flaw Leaves Linux Computers Vulnerable". Maybe now they'll be keeping their eyes open for patches of their affected software

    .
  • ...since DOS doesn't have a command called "pg".

  • Re:hrm... (Score:3, Interesting)

    by Black Parrot ( 19622 ) on Thursday March 14, 2002 @06:49PM (#3165122)


    > Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.

    Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities. The comparison is rarely so exact, and thus rarely so revealing.

  • Re:Double-free is safe with some mallocs (Score:3, Interesting)

    by spitzak ( 4019 ) on Thursday March 14, 2002 @08:10PM (#3165635) Homepage
    The second free might not crash, but often some part of the code assummed the structure was still allocated after the first free and wrote to it (I'm not sure about the zlib bug). This could be very harmful if that memory had been reallocated for something else. Depending on the malloc implementation if the memory was reused for another allocation the second free() might work anyway and screw up that other allocation.

    Thus making the second free not crash may be worse than doing nothing.

    Guaranteeing that the free *does* crash may be a good idea. Supposedly then the bug will be noticed. But this may be defeated if the memory is reallocated. Also if the code goes into service without the bug being noticed, you have a definatel DOS exploit, while otherwise you may have had an unexpliotable security bug.

    Face it, there is no silver bullet.

  • Re:If we can't see MS's source (Score:2, Interesting)

    by thogard ( 43403 ) on Thursday March 14, 2002 @11:37PM (#3166494) Homepage
    I suspect MS used quite a bit of GCC since version 5 of their C compiler had many of the some of the same optimization bugs as GCC. Anyone got access to the source for the old versions of MS C?

Slashdot Top Deals

Kleeneness is next to Godelness.

Close