[ISN] Software Bug Could Threaten Security Of Linux Systems

From: InfoSec News (isnat_private)
Date: Mon Mar 11 2002 - 22:43:30 PST

  • Next message: InfoSec News: "[ISN] Seminar : "What to do after you discover the bug..." - Boston 4/27/2002"

    http://www.newsbytes.com/news/02/175117.html
    
    By Brian Krebs, Newsbytes
    WASHINGTON, D.C., U.S.A.,
    11 Mar 2002, 5:03 PM CST
     
    The Linux community today announced the discovery of a flaw in a
    common system library file that could compromise the security of
    nearly every flavor of the open-source operating system in use today.
    
    The vulnerability is tied to "zlib," a memory compression and
    decompression tool that is used by hundreds of program packages in
    Linux, including the Mozilla Web browser and the distribution's
    "kernel," code that comprises the core of the operating system.
     
    The trouble with zlib is that it is vulnerable to an error when
    uncompressing data that allows memory to be freed more than once  or
    "double-freed."
    
    Such an event can interfere with the way programs allocate memory,
    resulting in program crash or denial-of-service condition, at best.
    
    At worst, a malicious programmer could design code for a file format
    that relies on zlib  such as "png," an image format. Such a file,
    included in a Web page and read by the Mozilla Web browser, could
    crash the program, or allow the attack to take complete control of the
    affected system.
    
    "We worked out pretty quickly that this was a fairly serious issue,"  
    said Mark Cox, senior director of engineering for Red Hat Inc., of
    consultations with the developers who discovered the problem - Owen
    Taylor and Matthias Clasen. "We decided there's no way we could
    address this issue without bringing CERT into it."
    
    CERT, short for the government-funded Computer Emergency Response Team
    (CERT) at Carnegie Mellon University in Pittsburgh, is responsible for
    alerting industry and the public of widespread computer and software
    security holes.
    
    According to a preliminary CERT release, the vulnerability is not
    limited to Linux. The zlib library is freely available and is used by
    many vendors by a variety of applications and manufacturers, including
    IBM. Dozens of other computer and software system makers are still
    testing their systems, CERT notes.
    
    So far, no known exploit is available for this particular
    vulnerability, and the various Linux distributions have already begun
    releasing an updated zlib version to replace the vulnerable one.
    
    But security experts are warning that malicious hackers are unlikely
    to be able to resist developing an exploit for a security hole that
    could affect such a vast number of systems.
    
    "The problem is certainly urgent, but this is a simple fix," Cox said.  
    "If people take care of it now, there won't be any vulnerability for
    others to exploit down the road."
    
    The CERT advisory is at http://www.kb.cert.org/vuls/id/368819
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 01:46:11 PST