Microsoft, zlib, and Security Flaws 497
nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."
Re:Just waiting for the press release... (Score:4, Interesting)
Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + release of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").
Re:Seriously? Microsoft use open source code? (Score:2, Interesting)
Debian? (Score:2, Interesting)
Re:Seriously? Microsoft use open source code? (Score:1, Interesting)
The TCP/IP code in Windows NT is streams based - it was written originally by Spider Software in Edinburgh. It's a clean room implementation that does not have any BSD code in it (I know the original architect of it). And it isn't derived from the original Unix streams code - even the underlying streams layer was written from scratch. The same code is in use by many OEM's in embedded devices etc.
Re:hrm... (Score:5, Interesting)
Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.
*bash MS* bash bash bash....it's popular right?
It's popular, easy, and well-deserved in this case. So much for M$ paying attention to security. Someone in M$ should have known they used zlib code, exactly where it was, and gotten patches out in a reasonable timeframe. They didn't. Bash bash bash.
This might be considered a troll? (Score:1, Interesting)
GPL is not about giving things away (Score:2, Interesting)
No, the GPL is not about giving software away, that was already happening. It was about KEEPING software GIVEN AWAY.
Re:Seriously? Microsoft use open source code? (Score:1, Interesting)
Unless it's GPL infected it's not illegal to incorporate it.
Plus, once the copyright-abolish fanatics have had their way, all the GPL licensed code (which is all protected by legal structures based on copyright law) will fall into Public Domain anyway.
BSD code in NT4 utils at least (Score:3, Interesting)
Well it's easy to show that they use
code, at least. This is Cygwin / bash on NT4:
andrew@INEGO(22:18:47)
[path...]
Binary file FINGER.EXE matches
Binary file FTP.EXE matches
Binary file RCP.EXE matches
Binary file RSH.EXE matches
Re:Win2k news thought... (Score:3, Interesting)
Though really, that doesn't give you a good view, because if certain flaws only exist in certain distros, then you would be free from those flaws in another distro.
And if you just took the max, that might show you that a certain distro is really bad for security, but not much about linux in general. If the max was much larger than the mean, then that would just mean you shouldn't get that distro.
Probably the best is to just compare each version of windows and each distro separately, and you can then make a decision that way.
Re:hrm... (Score:2, Interesting)
The zlib library vulernabilty and how *nix based systems are affected has [slashdot.org]
already been discussed on slashdot.
This Cnet article references the previous Cnet article [com.com] on the subject which speculated that since zlib is a programming library that could be used across platforms that other OS's application programs may be affected as well.
I don't see this article as Microsoft bashing. It just adds a new slant to the previous article and confirms that *nix systems aren't the only ones affected.
This is important information for those Microsoft admins out there who may not care about last weeks headline "Flaw Leaves Linux Computers Vulnerable". Maybe now they'll be keeping their eyes open for patches of their affected software
.
Then explain the "pg" part... (Score:4, Interesting)
Re:hrm... (Score:3, Interesting)
> Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.
Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities. The comparison is rarely so exact, and thus rarely so revealing.
Re:Double-free is safe with some mallocs (Score:3, Interesting)
Thus making the second free not crash may be worse than doing nothing.
Guaranteeing that the free *does* crash may be a good idea. Supposedly then the bug will be noticed. But this may be defeated if the memory is reallocated. Also if the code goes into service without the bug being noticed, you have a definatel DOS exploit, while otherwise you may have had an unexpliotable security bug.
Face it, there is no silver bullet.
Re:If we can't see MS's source (Score:2, Interesting)