http://www.eweek.com/article2/0,1895,1834632,00.asp By Larry Seltzer and Steven J. Vaughan-Nichols July 6, 2005 A serious security flaw has been identified in Zlib, a widely used data compression library. Fixes have begun to appear, but a large number of programs could be affected. Zlib is a data compression library that is used by many third-party programs and is distributed with many operating systems, including many Linux and BSD distributions. Microsoft Corp. and other proprietary software companies also use the library in many programs. These companies can do so because Zlib is licensed under liberal BSD-style license. This isn't the first time that the popular Zlib has been the center of a security concern. In 2002, a problem with how it handled memory allocation became a major concern. This time, the flaw is a buffer overflow in the decompression process. Because the program doesn't properly validate input data, it can be fed bad data, which can lead to a buffer overflow. This, in turn, means that if a user opens a file with a Zlib-enabled application, such as a Web browser or data compression tool, which contains specially malformed compressed data, an attacker could execute arbitrary code as the user. If this user were running as a system administrator the flaw would run at that level as well. Since Zlib is so ubiquitous, this represents a serious security concern. It's not clear how many programs are affected, but some operating system distributions are widely exposed. According to one source, numerous key packages in the Fedora Core 3 distribution use Zlib. Symantec Corp. reports that AIX, Debian, FreeBSD, Gentoo, SuSE, Red Hat, Ubuntu and many other operating systems are affected. Some versions of Microsoft's DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, among other programs, also use Zlib and are potentially vulnerable. Microsoft is currently looking into what vulnerabilities may exist in its software because of the Zlib problem. As Ormandy said, "Everything from the Linux kernel to OpenSSH, Mozilla and Internet Explorer makes use of Zlib, and any application that understands PNG [portable network graphics] image [format] is likely to use it." If exploited, this flaw could lead to DoS (denial of service) attacks on the targeted machine. This buffer overflow could also be used to allow a hacker unaurhorized access to a system. At this time, however, Symantec reports, there are no known exploits. In the open-source operating systems, deploying application fixes for this problem will tend to be straightforward. That's because in these operating systems the Zlib library is usually linked dynamically to applications. Thus, simply updating the operating system with the new library will take care of the problem for most applications. On other systems, however, and even with some open-source applications, each application will need to be patched. "Zlib is statically linked quite often, especially on non-Unix platforms such as Windows; however, on Linux, BSD and [similar operating systems] it's more conventional to use dynamic linking, especially as Zlib is so widely used on these platforms that it reduces lots of unnecessary duplication," explained Ormandy. Activity at the Zlib development site has been sparse for some time, and the main developers seem to have moved on to other projects. We received no response to our attempts to contact the developers in time for this story. However, Ormandy said, "Zlib is very mature and stable, so development is sporadic, but it's certainly not dead. Mark Adler [a Zlib co-author] responded to my report with a patch and an in-depth investigation and explanation within 24 hours, and I believe he expects to release a new version of Zlib very soon." In the meantime, many open-source operating systems already have patches for the buffer problem. These include Debian, FreeBSD, Gentoo, SuSE and Ubuntu. _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jul 07 2005 - 00:08:52 PDT