A security flaw in a widely-used data compression technology could put many software programs at risk of attack, experts have warned.
The buffer overflow vulnerability exists in the open-source "zlib" component, Secunia said in an alert published Thursday. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib, the security monitoring company said.
The process is used in a large number of open-source and proprietary software applications to compress and decompress data, and it ships with many Linux and BSD distributions. Zlib is described as "something of a de facto standard" by Wikipedia, the community-based online encyclopedia.
"Just about everything uses zlib, from Xbox games consoles and mobile phones to OpenSSH, so the potential impact is very high," Tavis Ormandy of the Gentoo Linux security audit team wrote in an e-mail interview. Ormandy is credited with discovering the vulnerability.
The flaw has been reported in version 1.2.2 of zlib, Secunia said, and earlier versions may also be affected.
Secunia rates the problem "highly critical," one notch below its highest risk rating, because there is no known exploit. The French Security Incident Response Team deems it "critical," its most serious rating.
Assessing the impact
The security vulnerability may affect many applications, but the potential impact is not simple to calculate, said Michael Sutton, a lab director at security company iDefense. "The exploitability may also depend on how the library was implemented, so we can't assume that all applications using zlib are immediately vulnerable," he said.
It won't be an easy task to exploit the vulnerability to run code on a victim's device or computer, Ormandy said. However, it is not hard to make applications crash, he noted. "We have some test cases that trigger the bug via images or browsers that use zlib," Ormandy said.
An update to zlib, version 1.2.3, is being prepared and tested for release to eliminate this vulnerability, Mark Adler, co-creator of the compression library, said in an e-mail to CNET News.com.
Fixes are already available for several Linux releases, including Suse, Red Hat, Gentoo, Ubuntu, Mandriva and Debian, according to the Secunia Web site. An update is also available for FreeBSD, it said.
Microsoft is still looking into the issue, a company representative said. "Initial investigation has revealed that currently supported versions of Microsoft Windows are not at risk from this vulnerability," the representative said. Microsoft has used zlib in programs such as Office, MSN Messenger and Internet Explorer, according to a list of applications that use the component posted by the zlib developers group on its Web site.
It's a flaw in an Open Source [fall down on your knees in respect] component. Not specific to dastardly Microsoft (oh, pardon me, "M$") or Sun or any of the other proprietary devils...
The "many eyes" / "peer review" model is vindicated once again. The problem was identified by a third-party (not the author), fixed, and propagated to open-source operating system distribution maintainers in less than a day. One need only update a single library and all is fixed.
I'm a little confused as to why we don't see any patches/updates from Microsoft yet, however. Their software uses zlib all over. It's in .Net, IE, Office, Windows Explorer, all over. Perhaps it's statically linked (requiring a rebuild of all those things).
It should be pointed out, however, that if the same flaw were in a proprietary product (Microsoft or otherwise), there would be absolutely no chance that the flaw would be found by a third party without an exploit first. There's only tepid incentive to perform code review of this sort, and fixing the problem before it's detected by an end-user, particularly if the fix is non-trivial, doesn't make economic sense, particularly if you don't bear any liability for issues that result.
It's not surprising that software has an issue. People write it. People make mistakes. In this case, other people were able to double-check the author's work and fix it, and they did so very quickly.
Tell me it isn't true - there can't possibly be a vulnerability in Linux! Everywhere I look, the experts keep saying that Linux is impervious to attack.
Ah, I know... the author must be a covert operative for Microsoft. It's common knowledge that MS is so afraid of other OS's that they'll use any tactic to discredit them. At least that's the gist of what the EU claims.
> It should be pointed out, however, that if the > same flaw were in a proprietary product > (Microsoft or otherwise), there would be > absolutely no chance that the flaw would be > found by a third party without an exploit > first.
If an exploit is never used, can it be called an exploit? The point being... when the source code IS "open", it invites everyone to look for exploits. Not everyone will be friendly enough to report it to the good guys first.
If my front door is unlocked, I sure as heck don't want to post sign on the door telling anyone who walks by about it... and then rely on my neighbors to come along and lock it for me.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
vindicated once again. The problem was identified
by a third-party (not the author), fixed, and
propagated to open-source operating system
distribution maintainers in less than a day. One
need only update a single library and all is
fixed.
I'm a little confused as to why we don't see any
patches/updates from Microsoft yet, however.
Their software uses zlib all over. It's in .Net,
IE, Office, Windows Explorer, all over. Perhaps
it's statically linked (requiring a rebuild of
all those things).
It should be pointed out, however, that if the
same flaw were in a proprietary product
(Microsoft or otherwise), there would be
absolutely no chance that the flaw would be found
by a third party without an exploit first.
There's only tepid incentive to perform code
review of this sort, and fixing the problem
before it's detected by an end-user, particularly
if the fix is non-trivial, doesn't make economic
sense, particularly if you don't bear any
liability for issues that result.
It's not surprising that software has an issue.
People write it. People make mistakes. In this
case, other people were able to double-check the
author's work and fix it, and they did so very
quickly.
Ah, I know... the author must be a covert operative for Microsoft. It's common knowledge that MS is so afraid of other OS's that they'll use any tactic to discredit them. At least that's the gist of what the EU claims.
> same flaw were in a proprietary product
> (Microsoft or otherwise), there would be
> absolutely no chance that the flaw would be
> found by a third party without an exploit
> first.
If an exploit is never used, can it be called an exploit? The point being... when the source code IS "open", it invites everyone to look for exploits. Not everyone will be friendly enough to report it to the good guys first.
If my front door is unlocked, I sure as heck don't want to post sign on the door telling anyone who walks by about it... and then rely on my neighbors to come along and lock it for me.