Microsoft, zlib, and Security Flaws 497
nakhla writes: "News.com is reporting that Microsoft's use of code from the open-source zlib library has led to possible security problems. The flaws in zlib were reported recently, and apply to several key Microsoft technologies, such as DirectX, Front Page, Install Shield, Office, and Internet Explorer. The article also mentions how this is not Microsoft's first use of open-source code in its software, but does point out that since zlib is not GPL'd they are under no obligation to release the source code to any of their products."
Just waiting for the press release... (Score:4, Funny)
Re:Just waiting for the press release... (Score:4, Interesting)
Of course, if zlib had been GPL, they couldn't (legally...) have used it without releasing their source, and in this case, they might have avoided the security risks: either non-use of zlib (not affected by this vulnerability) or use of zlib + release of code (easy and quick for anyone to release a patch, instead of having to wait for the "official" version with all it's "added extras").
None the less ... (Score:2)
Case in point. A GPLed piece of software has bug X, and strangly enough, a M$ product has the same bug.
It maybe worth the time to test major bugs in GPLed software against M$ programs if such simularities do exist.
Just a thought.
Re:None the less ... (Score:2, Informative)
Re:Just waiting for the press release... (Score:3, Insightful)
The way I see it, Microsoft can't complain b/c zlib will have a fix LONG before they have even thought about patching. They won't have to do near as much work to find the fix... they'll just rebuild.
Re:Just waiting for the press release... (Score:3, Insightful)
actually i'm waiting for all the open source hypocrits to issue a press release noting that this is yet another risk of using microsoft products
The patches for many of the open source products are already out with more to come. Where are Microsoft's? There is a risk.
Re:Just waiting for the press release... (Score:3, Insightful)
Microsoft can hurl propaganda any day it likes.
I don't think this situation really gives them a "leg up" in that sort of endeavor.
Tally anybody? (Score:2, Offtopic)
Here is another bug [appsecinc.com] with the MicroSoft SQL server. They've got overflows in their stored procedures. No fix, but you can delete the files if you can live without them....
GZIP Patch (Score:4, Informative)
For the record, I've used GZLIB in many embedded products and like it.
DHO!! Correct Details & SecurityFocus link (Score:5, Informative)
i>gzip 1.2.4 may crash when an input file name is too long (over 1020 characters). The buffer overflow may be exploited if gzip is run by a server such as an ftp server. Some ftp servers allow compression and decompression on the fly and are thus vulnerable. See technical details here [securityfocus.com]. This patch [slashdot.org] to gzip 1.2.4 fixes the problem. The beta version 1.3.3 [gnu.org] already includes a sufficient patch; use this version if you have to handle files larger than 2 GB. A new official version of gzip will be released soon.
Microsoft Dont make InstallShield... (Score:3, Informative)
This wouldn't have happened... (Score:2, Funny)
...if the government hadn't worked so hard to limit Microsoft's ability to innovate.
Re:Innovation in the computer industry. (Score:2)
That is ALL that Microsoft is about.
They only look similar if you aren't paying attention.
InstallShield (Score:5, Informative)
Re:InstallShield (Score:2)
Using Microsoft Installer is a requirement to get the official "designed for Microsoft Windows 2000" sticker on your product, and I assume its the same for XP. Wise also has a front end to the Installer system, IIRC and FWIW.
Re:InstallShield (Score:5, Funny)
So when MS says they can't remove IE from Windows, it's true.
Re:InstallShield (Score:2)
Actually they can, it's just that The Beast won't let them...
notification issue (Score:5, Insightful)
Here's what I want to know: the zlib maintainers know that their code is heavily used in open source product, and they can easily use ldd on a typical Linux or *BSD install to find out exactly which programs use zlib. So they know who to contact about vulnerabilities. However, if Microsoft just takes open source code and incorporates it into their products, how will the zlib folks know to contact them prior to public disclosure? It surely can't be the responsibility of the zlib team to grep through every single closed-source binary out there in order to make sure that it didn't use zlib.
It seems like if there isn't a mailing list for every single library's security issues, then closed source vendors will become second-class citizens when it comes to getting forewarning about a big security announcement like this. This seems like what has happened to Microsoft in this case; otherwise they would have had a raft of fixes available when the original story was released, right?
The other alternative is the vendor early warning list idea that Microsoft has been pushing, but the problem with that is: the more people on the list (and you'd have to have hundreds of vendors in the case of a base library like zlib, I'd think), the more likely that one of them will leak the story to the black hats, so that the delay while vendors prepare patches becomes a liability for the unpatched public. That doesn't seem like a good scenario to me either.
Re:notification issue (Score:5, Informative)
I do feel that they should (but are not obligated to) send out a few public notices that will be spread around so that people who's programs use the library can update it and that's exactly what they did.
Also the big problem with this security issue isn't programs that dynamically link to libz.so. Those are easy to fix because all you have to do is upgrade your zlib and they're automagically fixed.
It's the programs that statically link the zlib library (meaning it gets copied right into the actual binary at compile time) that you have to worry about because an ldd won't show you that.
Also many people use their own modified version of zlib (XFree86, rpm, rsync, the linux kernel etc.) and so those are very hard to catch as well.
Florian Weimer wrote a perl script which will check for binaries on your system that are statically linked. You can read his post to Bugtraq here [securityfocus.com].
--
Garett
Re:notification issue (Score:3, Informative)
Unless I am missing my guess, I ran into this particular bug in zlib about a year ago and I e-mailed the people at the project address. They responded that they already knew about it and sent me the patch. So what exactly is it that happened recently? Did someone figure out a way to use the bug to crack a system and this set off all kinds of alarms? There should have been a zlib fix-up release a long time ago.
Debian? (Score:2, Interesting)
Now what would have been interesting... (Score:4, Funny)
hrm... (Score:2, Informative)
Disclaimer: I am not a security weenie, so I don't know this for fact......*deep breath*....
If this is true, why is it only news for MS? It appears that Linux and Unix is also vulnerable. So why only set up the article as MS related?
*bash MS* bash bash bash....it's popular right?
Re:hrm... (Score:5, Interesting)
Because we found out for Linux/Unix several days ago and got our systems fixed within 24 hours. Microsoft is still trying to figure out what the hell is going on.
*bash MS* bash bash bash....it's popular right?
It's popular, easy, and well-deserved in this case. So much for M$ paying attention to security. Someone in M$ should have known they used zlib code, exactly where it was, and gotten patches out in a reasonable timeframe. They didn't. Bash bash bash.
Re:hrm... (Score:2)
I mean... DUH... IIS and IE support the Content-Encoding extensions from HTTP 1.1 that use gzip for compression and the easiest way for them to have implemented that was functions from zlib.
Now what I want to know is how you have come to the conclusion that Microsoft uses the code in the specific way necessary to exploit it. Or if they even use that particular function, or if they haven't already fixed it long ago in their source tree.
Speculation and wild claims don't add any value, and that's what this article does and what your post does. Yes, it is popular to bash MS.
Now let's get to the real question. How come this bug got into zlib in the first place?
Put yourself in MS's position (Score:2)
Whacking MS Memes (Score:2)
Microsoft's fast responces to security issues is a recent event. They do not have a history of fast responce. But they do have a history of putting out fixes that cause problems. It is common practice to delay rolling out hotfixes and service packs to allow for discovery of these bugs and subsequent fixes.
Yep. That's why CodeRed and Nimda weren't able to do much damage. Oh. Wait.
Nice statistic. Got a valid reference for it? Or is that just a bogus number to make your rant sound nice?
People often confuse Microsoft's marketing savvy with their technical ability. They are a technical company who excels at marketing. You're crowing about their marketing. This is a technical issue (information security is not a marketing issue - despite how many companies, MS included, tend to handle it).
Re:hrm... (Score:2)
Re:hrm... (Score:2, Interesting)
The zlib library vulernabilty and how *nix based systems are affected has [slashdot.org]
already been discussed on slashdot.
This Cnet article references the previous Cnet article [com.com] on the subject which speculated that since zlib is a programming library that could be used across platforms that other OS's application programs may be affected as well.
I don't see this article as Microsoft bashing. It just adds a new slant to the previous article and confirms that *nix systems aren't the only ones affected.
This is important information for those Microsoft admins out there who may not care about last weeks headline "Flaw Leaves Linux Computers Vulnerable". Maybe now they'll be keeping their eyes open for patches of their affected software
.
Re:hrm... (Score:2)
Consider this: it appears that M$ will have to release a fixpak/security pak for a bunch of apps while for me with linux (and people using BSD, etc) all we need to do is install the new zlib - which was available virtually at the same time the POTENTIAL vulnerability was discovered/released. Then, all *nix people need do is restart whatever net-connected app/server they were running that uses zlib and it is fixed. No replacing apps with fixed apps, just replace the lib without ever rebooting.
You will eventually receive a big security fix from M$ that replaces whole applications AND have to reboot to make it work.
So, two comparisons can be made between the free-os users and the M$ slaves: 1) fixes are produced and available immediately for free-os people but it will be a while before M$ figures out what to do, and 2) simply installing the new lib and, perhaps, restarting a couple applications is all it takes for a fix for the free-oses but M$ users will have to replace whole applications and reboot.
M$ kinda trashes itself in comparison.
Re:hrm... (Score:3, Interesting)
> Because the other Open Source OSes have already been patched, primarily because of the fact that they are open source.
Indeed; in this case we get a wonderful A/B comparison of the way OSOSes and CSOSes handle vulnerabilities. The comparison is rarely so exact, and thus rarely so revealing.
Re:hrm... (Score:2)
And what does the comparison tell us?
1. A Open Source Operating System contained a bug which could be a security flaw. Patches were released within a few days.
2. A Closed Source Operating System contained the same bug, but due to design differences, the bug was not a security flaw. Since the bug wasn't an urgent problem, it got added to the bug-fixes-for-the-next-service-pack queue.
I think if you want any sort of exact comparison, you'd have to look at cases where the same bug caused the same level of harm.
Re:hrm... (Score:2)
Re:hrm... (Score:2)
Here is a list of apps vunerable (Score:2, Informative)
At least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.
"Borrowed"? Whats the license for zlib?
Re:Here is a list of apps vunerable (Score:2)
Copyright notice:
(C) 1995-1998 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
- The origin of this software must not be misrepresented; you must not
claim that you wrote the original software. If you use this software
in a product, an acknowledgment in the product documentation would be
appreciated but is not required.
- Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
- This notice may not be removed or altered from any source distribution.
Jean-loup Gailly Mark Adlerjloup@gzip.org madler@alumni.caltech.edu
If you use the zlib library in a product, we would appreciate *not* receiving lengthy legal documents to sign. The sources are provided for free but without warranty of any kind. The library has been entirely written by Jean-loup Gailly and Mark Adler; it does not include third-party code.
If you redistribute modified sources, we would appreciate that you include in the file ChangeLog history information documenting your changes.
Borrowed Code? (Score:2, Funny)
the colors were just screaming security flaw already weren't they?
Yet, the incident seemingly proves that Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products.
And now they are forced to admit what we already knew, they haven't written anything original since...well...ever!
The zlib compression library doesn't use the GPL, however.
and the war between MS and GPL coninues, maybe the linux community could use Anime-based uniforms to storm microsoft and take the code back.
GPL is not about giving things away (Score:2, Interesting)
No, the GPL is not about giving software away, that was already happening. It was about KEEPING software GIVEN AWAY.
If you ever had any doubt... (Score:5, Informative)
In Windows 2000, open a command prompt window. Type "nslookup". This will drop you into interactive mode for nslookup, which has been ported from UNIX (most likely BSD.)
Now type "help". Check out this line at the bottom of the output:
view FILE - sort an 'ls' output file and view it with pg
Uh, yeah. Oops.
Re:If you ever had any doubt... (Score:3, Informative)
ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)
-gps
Then explain the "pg" part... (Score:4, Interesting)
Re:Then explain the "pg" part... (Score:2)
Re:If you ever had any doubt... (Score:2)
I'm surprised that anybody has to be "convinced" MS uses Open Source code. I've always thought it was common knowledge. Also, you could have just looked in Help About for IE and seen that it uses the Independant JPEG Group code. Based on this prior behavior, I always assumed they used the free PNG implementation. Since PNG uses zlib, MS uses zlib.
Now, if MS were smart they'd have a standard place for libjpeg.dll, libpng.dll, and zlib.dll but as far as I know there is no such thing. Either the functions are in some other DLLs, or the names are obfuscated. This bug, combined with MS's "security initiative" represents a golden opportunity: MS could take the occasion to give us "standard" DLLs so that developers would no longer have to package them, and could instead say something like "make sure you have this service pack and if you don't, here it is".
Re:If you ever had any doubt... (Score:4, Informative)
BSD code in NT4 utils at least (Score:3, Interesting)
Well it's easy to show that they use
code, at least. This is Cygwin / bash on NT4:
andrew@INEGO(22:18:47)
[path...]
Binary file FINGER.EXE matches
Binary file FTP.EXE matches
Binary file RCP.EXE matches
Binary file RSH.EXE matches
Re:BSD code in NT4 utils at least (Score:2)
Binary file FINGER.EXE matches
Binary file FTP.EXE matches
Binary file RCP.EXE matches
Binary file RSH.EXE matches
That proves nothing. What if there are simple easter eggs in these binaries where that noted Microsoft developer and rock star, Ted Regent, snuck his name into the code?
Re:BSD code in NT4 utils at least (Score:2, Informative)
My machine has a bunch of stuff on it so a virgin
Win2K system MIGHT have different results but I
handchecked that the file's date matched the
install date on the machine. So CAVEAT EMPTOR...
a slightly fancier grep and some patience
find . -type f | while read f
do
strings "$f" | grep -i "Copyright " | grep -v Microsoft
test $? -eq 0 && echo $f
done
showed up Thomas Lane's open source JPEG work in multiple places, Mark H. Colburn's work in system32/pax.exe, Mark Adler's PNG work in at least system32/pngfilt.dll and a few more interesting cases.
system32/offfilt.dll has Mark Adler's inflate in it.
c:\Program Files\Common Files\Microsoft Shared\VGX appears to have zlib based upon this:
$ strings Program\ Files/Common\ Files/Microsoft\ Shared/VGX/vgx.dll | grep -i Copy
4,f deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
f,f inflate 1.1.3 Copyright 1995-1998 Mark Adler
And Adobe Acrobat PDFWriter also uses zlib per system32/spool/drivers/w32x86/2/pdfdd.dll.
This is far from exhaustive of 100% scientfic but a good starting point.
--joel
mutatis mutandis (Score:2)
The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.
Am I right in assuming this won't effect NT4 and is a direct outcome of putting the GDI back in the kernel unlike in the true microkernel architecture like HURD?
Re:mutatis mutandis (Score:2, Informative)
Re:mutatis mutandis (Score:2)
change it (Score:3, Insightful)
This would force MS eithe to pay up, or go to court and fight against the very thing they want.
I didn't know this! (Score:3, Insightful)
One of the other interesting things about the GPL is the side effect it has of self promotion.
That is, I've gotten stuff from vendors using GPL software and you can tell, because their distributions contain a little src subdirectory with the GPL'd code in it.
With the other open software licenses, there's not such a legal provision enforcing source distribution, and, hence, no advertising that the particular piece of software was used in the product.
I bemoan the fact that much good public software and authors have not received their due credit because companies (in this particular instance, MS) have been able to incorporate their good work and not only not given them any money, but no widespread recognition of their contribution.
Double-free is safe with some mallocs (Score:5, Insightful)
Re:Double-free is safe with some mallocs (Score:3, Interesting)
Thus making the second free not crash may be worse than doing nothing.
Guaranteeing that the free *does* crash may be a good idea. Supposedly then the bug will be noticed. But this may be defeated if the memory is reallocated. Also if the code goes into service without the bug being noticed, you have a definatel DOS exploit, while otherwise you may have had an unexpliotable security bug.
Face it, there is no silver bullet.
Re:Double-free is safe with some mallocs (Score:3, Insightful)
Scan MS stuff for GPLed code (Score:2)
"no reports of any exploitations" (Score:2)
From the advisory [gzip.org]
I know most people here know this, but for some reason this bug has gotten an almost hysterical spin in the media. This is an example of the community responding to a potential risk, before any damage is done.
All these articles that rave about millions of systems being vulnerable seem to forget the fact that nobody has been affected.
Re:"no reports of any exploitations" (Score:2)
and you think this is bad? Why?
If all the vulnerable machines get patched before anyone's affected, I'd think the system worked just as it should. I"d rather not wait until there's some nasty reprise of Nimda before starting to patch my systems.
Re:"no reports of any exploitations" (Score:2)
It's not bad that they publicize the vulnerability, but it's bad to make it into a bigger issue than it really is. It means that when a more serious security risk comes along nobody will pay attention.
What are you going to do in response to the next Code-Red? Declare a state of emergancy and call out the army?
Re:"no reports of any exploitations" (Score:2)
How big does it have to get before we acknowledge that it's a serious risk and start the patch run? I've been following the security lists about this, and I don't think the coverage is overdone at all.
The difference between Proprietary and Open code (Score:2)
This just points out the difference between proprietary code and open code. Those using open code incorporating this flaw have had a fix available for days (if they choose to patch and compile the source). Those using proprietary code incorporating this flaw will have to wait for the vendor to release a fix, if ever.
If that's not a good arguement against depending on proprietary code (as for running a business), try this: If the flaw was not in open code incorporated into the proprietary code, but rather existed exclusively in the proprietary code alone (yeah, right -- proprietary code with bugs! LOL :-) then we might never know the flaw existed, let alone get a fix, unless some cracker with ethics told the world when they found the flaw rather than keep the exploit to themselves.
Microsoft's use of zlib is not the issue (Score:4, Insightful)
The real issue is that there is now a direct comparison on a shared bug (for which no exploit exists yet, let's not forget -- it's still theoretical) in both the free and proprietary systems.
You can see the cooperation and disclosure *and* resolution on the open source side. Did Microsoft even admit to the vulnerability which they surely (one hopes) knew existed in their own systems? No. That's not the issue either.
The great benefit that comes to open source from this is that now you can observe the different security and development models in action from a purely objective point of view.
Fortunately, for Microsoft and their customers at least, this is not so serious a flaw that it will likely be exploited before they can get fixes out -- if they really want to. Even more fortunately for Microsoft, there are already enough vulnerabilities with easy and existing exploits, that the zlib vulnerabilities will probably be a non-issue. Hackers will tend to follow the path of least resistance.
Re:Microsoft's use of zlib is not the issue (Score:2)
Did it occur to you *why* they haven't said anything?
Because this bug doesn't pose a security risk in Windows.
You're comparing apples and oranges... in Linux, this was a critical issue because linux's free() will quite happily trash your heap if you give it a chance. Under BSD and Windows, this is not a critical issue, because both BSD and Windows have marginally slower (but much safer) free() calls which will not trash your heap on a double free.
This bug (might) exist in the mentioned windows software, but it is a completely harmless bug, thus there is no reason to issue patches immediately.
Re:Microsoft's use of zlib is not the issue (Score:3)
Basically, while we shouldn't believe what they say, we should force them to act as if they do.
Their PR flack recently said that OS software costs society by not hiring programmers or contributing to tax money. So they should immediately rip out all the open source software they use and hire programmers to recreate it.
If they don't, can they really expect to have any credibility left?
No such domain (Offtopic) (Score:2)
; > DiG 9.2.0rc3 > news.com.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER
I don't get it. com.com seems to be some kind of travel agency. Any ideas?
(Sorry for the offtopic question)
Re:Seriously? Microsoft use open source code? (Score:2)
Of course, having everything derive code from the same source is a risk; isn't this part of the reason the ping of death was so much of an issue?
Re:Seriously? Microsoft use open source code? (Score:2, Insightful)
Depends on how you look at it. If there were N completely independent TCP/IP implementations out there, wouldn't there be N times as many bugs (each one affecting 1/N as many systems, on average). Homogeneity means only one codebase to debug and fix. But of course when a bug is found, it affects everyone.
Re:Seriously? Microsoft use open source code? (Score:2)
Re:Seriously? Microsoft use open source code? (Score:2, Informative)
I just wonder if Microsoft was able to taint some of the BSD coders by allowing them to view their code. I'm sure integrating something like a TCP/IP stack required access to some 2000/XP src code. Anyone know?
Re:Seriously? Microsoft use open source code? (Score:2, Interesting)
Re:Seriously? Microsoft use open source code? (Score:4, Informative)
How is reading, even verbatim copying, of BSD-licensed code risky in legal terms. The license explicitly allows incorporation into any type of software (commercial, open, or free). Microsoft could put out their own version of one of the *BSDs, with the only difference from it's base BSD being having the Windows GUI grafted on top of it and no source included.
The relevant passage in the BSD license (from http://www.freebsd.org/copyright/license.html ):
There are licenses that are the BSD license, less the advertising clause (it is the advertising clause that prevents BSD from being a free license according to the FSF), such as the MIT license. These licenses are the freest of all the licenses (short of public domain).
Re:Seriously? Microsoft use open source code? (Score:2)
That's the 4.4BSD license, a license that predates FreeBSD (and the other open-source BSDs). It contains the dreaded "advertising clause," which is (IMHO) rightfully viewed as non-free. That's why FreeBSD uses this license [freebsd.org] which drops the advertising clause and is almost universally viewed as a free license; the other open-source BSDs did the same thing.
Re:Seriously? Microsoft use open source code? (Score:2)
Re:If we can't see MS's source (Score:5, Informative)
Re:If we can't see MS's source (Score:2, Flamebait)
Re:If we can't see MS's source (Score:2, Insightful)
"Craig Mundie, senior vice president of Microsoft, said last May. '(There) is a real problem in the licensing model that many open-source software products employ: the General Public License.'"
This really makes you wonder if Microsoft's stance against the GPL is really about getting more code from the open source community to use in their own projects. If there was a public backlash against the GPL, the community may feel pressure to change to other license models, and Microsoft could get more of code for their projects written for free.
Re:If we can't see MS's source (Score:2)
If I want to use GPL code in my program without releasing, I can just
1. write a library wrapping up your GPL proggie
2. link to the library dynamically from my proggie
All I have to release is the source code of the wrapper library. Well, at least it is true in GPL V2.
Re:If we can't see MS's source (Score:2)
Copyright was originally a short-term thing.
Re: (Score:2, Informative)
Re:Darn! (Score:2)
< Bash >
As opposed to the other stuff which *is* really good?
< \Bash >
-
Re:Darn! (Score:2)
Re:Win2k news thought... (Score:4, Informative)
"vulnerabilities found in Windows and all Linux flavors combined are almost the same"
So if I am running RedHat, Mandrake, SUSE, and Debian simultaneously, I have the same number of flaws as a single run of Win2k?
They should either use the average (among linux dists) or the max (ditto), vs Win. Or sum across all current Win flavors (ME, Win2k. maybe NT) to compare against all linux flavors (summed).
Argh!
Re:Win2k news thought... (Score:3, Interesting)
Though really, that doesn't give you a good view, because if certain flaws only exist in certain distros, then you would be free from those flaws in another distro.
And if you just took the max, that might show you that a certain distro is really bad for security, but not much about linux in general. If the max was much larger than the mean, then that would just mean you shouldn't get that distro.
Probably the best is to just compare each version of windows and each distro separately, and you can then make a decision that way.
Re:oh goody (Score:3, Funny)
I'm sure this is a typo. You must have meant "did time".
Re:oh goody (Score:2)
Re:oh goody (Score:2)
Where I come from is I use Win2K for doing 3D animation. A lot of people I know doing 3D stuff are running on Win2k. We have to rely on a machine constantly rendering overnight, over weekends etc, and we cannot afford to have it crash. I've built a number of Win2k boxes in my time, and Win2k installation and setup is a breeze. I cannot say that for my experiences with installing Linux.
I've witnessed a number of Win2k machines of a huge variety of hardware (i.e. not custom made all from one provider) render for many many hours at a time and never crash. I have never lost rendering time to a Windows 2000 problem. None of my artist friends have ever complained about that.
Seems to me if a program can use so much Windows resources for so long and still behave properly, Microsoft must have done something right.
Re:oh goody (Score:2)
And i've only got to crashes, which cause the machine to auto-reboot.
To have a really crappy product(s) then releasing something thats better doesn't mean the new thing is good, just not as crappy.
So what, exactly, has MS done thats good?
Re:oh goody (Score:2)
What, you mean besides using Windows 95 to make the appeal of computers so broad that nearly everybody has one? Or maybe bringing the internet out of the geek neighborhood and out into the main stream? Or how about making an OS that can install on such a broad range of hardware that you can cheaply put together a system running Windows?
Did MS do this singlehandedly? Nope, I'm not saying that. They were instrumental in it though. Despite how much everybody hates to admit it, Windows 95 had a HUGE part in making computers as broadly supported as they are today. I remember when having a computer meant you were a nerd.
Did MS use illegal tactics? Yep. They've done shitty stuff. They've made shitty products. I'm not disputing that. But they're not entirely bad either. As a matter of fact, it's MS's shortcomings that are making people fight to make Linux as a replacement to MS.
You can hate MS all you want, more power to ya, but if you're successful in the IT industry, MS was probably instrumental in that either directly or indirectly. No Microsoft? Computers = toys for geeks.
Re:oh goody (Score:2)
I won't use XP, because I don't trust it, at all. I'd like to see MS put together a nice OS thats trustworthy to me, not to the varies media orginiations, not to MS, to me.
Re:oh goody (Score:2)
Re:oh goody (Score:2)
I think there are anti-ms people who think that becaues IIS is insecure as a webserver, that MS themselves should die. There are people of the Linux world that wishes everybody would use Linux and forget Microsoft. They fail to realize that the adoption of Linux isn't slow because of MS, it's slow because it's not beating MS at doing what they like to do.
There's room in this world for both. If Linux becomes what Windows is in terms of usability, it will be every bit as bloated as MS. Don't believe me? Look at Redhat. Their default install wants to eat up a gig of space. Granted it comes with lots of apps, but it has its share of bloat too.
In any case, this isn't an anti-Linux/pro-Microsoft rant, this is more of a 'Be happy to have what you've got' rant. If MS disappears, what will fuel the fire to make Linux better?
It's in everybody's best interest if Microsoft does well, believe it or not.
Re:oh goody (Score:2)
My W2K server has been up 196 days and counting. I've NEVER encountered a BSOD on my XP notebook.
Perhaps you should try upgrading your drivers to MS cerftified ones.
Re:Um? (Score:4, Informative)
I apologize in advance if I'm being a little too trivial but I'm assuming that you are 100% non-technical just incase this post appeals to someone or some people who are.
When a program needs to temporarily store an ammount of data it uses what's called a buffer. This is just a segment of memory where it can store it's data.
A buffer overflow occurs when the buffer get's filled past it's allocated regions. So in other words let's say the programmer has set up a buffer that's 1024 bytes. An overflow is when the user fills that 1024 byte buffer with more than 1024 bytes.
What happens? Well ideally the extra data wouldn't get stored in memory at all but unfortunately computers don't work that way. Instead whatever is stored in memory AFTER the 1024 bytes gets overwritten.
So let's say the programmer had the following code in his buggy program.
buffer[1024]
read data, buffer
do something
What the hacker has to do is input 1024 of garbage and then overwrite the memory with some other computer instruction. Like the instructions necessary to execute a shell.
You see when the buffer is overflown the "do something" instruction will get overwritten with whatever data the hacker puts into the buffer. If the program is running as root then when the "do something" instruction is overwritten with the instructions to execute a shell the hacker will have himself root access!
But it's even more serious than that becuase let's say the program is a web server running as nobody. Before the hacker exploits the buffer overflow he has no access. But he knows about this overflow so he overflow's it by sending apache a very long request containing the instructions to execute a shell. He has just gained "nobody" access to the system and from there he can figure out how to get root access.
The solution is for the programmer to make sure that the user is only entering in 1024 bytes of data at the most. Unfortunately many programs weren't written to do this.
I hope this explains to people why these bugs are more serious than "my system will crash".
--
Garett
It's NOT a buffer overflow!!!!!! (Score:3, Informative)
read all about it : http://www.gzip.org/zlib/advisory-2002-03-11.txt
-c
Re:It's NOT a buffer overflow!!!!!! (Score:2)
The current version of gzip has a buffer overflow and I confused that with zlib's double-free.
Sorry about.
Anyway zlib's issue can be used to cause denial-of-service attacks etc. These are also worse than your system crashing. Imagine not being able to use either your computer or the network etc. You reboot and still you can't do your banking, check your e-mail and quite possibly not even able to use your computer because the DOS is just re-instated minutes after your computer reboots.
--
Garett
More than DoS Possible (Score:2)
From the ZLib page:
There is a security vulnerability in zlib 1.1.3 that can be exploited by providing a specially crafted invalid compressed data stream to zlib's decompression routines that results in zlib attempting to free the same memory twice. On many systems, freeing the same memory twice will crash the application. Such "double free" vulnerabilities can be used in denial-of-service attacks, and it is remotely possible that the vulnerability could be exploited in some application to execute arbitrary code with that application's permissions. There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless.
It would take some pretty slick work to actually get something to execute arbitary code with this particular bug, but, it's possible. So it does raise the risk level back to what you originally stated, Garett.
HABBA FUNGULE (Score:4, Insightful)
The problem in zlib is a double free. It is only, and I repeat, only theoritically possible to exploit this in the same way that it is theoritically possible to exploit any undefined behavior.
Please don't counter with a traceroute exploit being an example of a double free because it wasn't. That was an example of free a garbage random data. There is quite a difference.
At any rate, please think before you post. I cannot believe everyone is making such a fuss over this. It's funny because XP's whole TCP/IP had a remote root hole in it and less noise was made here then is being made now over something that is only theoritically possible to exploit and also not yet proven to be reproducable.
Right now, this 'security issue' is entirely theoritical.
Re:In other words (Score:2)
Re:Which explains why MS is not attacked more (Score:2, Informative)
Recent versions of Windows use a rewritten TCP/IP stack, so even if they did use the BSD stack for Win95/NT4/etc (which they almost definitely did, based on its behaviour), they aren't using it any more.
Re:Geez (Score:3, Insightful)
I'm fully aware that it's a problem that was first found on the unices!
Which is actually something to be proud of. Microsoft and all of it's money didn't (while borrowing the code) find the security problem.
How does BSD prevent this problem where Linux can not? I'm genuinely curious as I am not a BSD user.