http://www.newsbytes.com/news/02/175117.html By Brian Krebs, Newsbytes WASHINGTON, D.C., U.S.A., 11 Mar 2002, 5:03 PM CST The Linux community today announced the discovery of a flaw in a common system library file that could compromise the security of nearly every flavor of the open-source operating system in use today. The vulnerability is tied to "zlib," a memory compression and decompression tool that is used by hundreds of program packages in Linux, including the Mozilla Web browser and the distribution's "kernel," code that comprises the core of the operating system. The trouble with zlib is that it is vulnerable to an error when uncompressing data that allows memory to be freed more than once – or "double-freed." Such an event can interfere with the way programs allocate memory, resulting in program crash or denial-of-service condition, at best. At worst, a malicious programmer could design code for a file format that relies on zlib – such as "png," an image format. Such a file, included in a Web page and read by the Mozilla Web browser, could crash the program, or allow the attack to take complete control of the affected system. "We worked out pretty quickly that this was a fairly serious issue," said Mark Cox, senior director of engineering for Red Hat Inc., of consultations with the developers who discovered the problem - Owen Taylor and Matthias Clasen. "We decided there's no way we could address this issue without bringing CERT into it." CERT, short for the government-funded Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, is responsible for alerting industry and the public of widespread computer and software security holes. According to a preliminary CERT release, the vulnerability is not limited to Linux. The zlib library is freely available and is used by many vendors by a variety of applications and manufacturers, including IBM. Dozens of other computer and software system makers are still testing their systems, CERT notes. So far, no known exploit is available for this particular vulnerability, and the various Linux distributions have already begun releasing an updated zlib version to replace the vulnerable one. But security experts are warning that malicious hackers are unlikely to be able to resist developing an exploit for a security hole that could affect such a vast number of systems. "The problem is certainly urgent, but this is a simple fix," Cox said. "If people take care of it now, there won't be any vulnerability for others to exploit down the road." The CERT advisory is at http://www.kb.cert.org/vuls/id/368819 - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 01:46:11 PST