[ISN] Zlib Security Flaw Exposes Swath of Programs

InfoSec News isn at c4i.org
Thu Jul 7 02:46:18 EDT 2005


http://www.eweek.com/article2/0,1895,1834632,00.asp

By Larry Seltzer and Steven J. Vaughan-Nichols 
July 6, 2005 

A serious security flaw has been identified in Zlib, a widely used
data compression library. Fixes have begun to appear, but a large
number of programs could be affected.

Zlib is a data compression library that is used by many third-party
programs and is distributed with many operating systems, including
many Linux and BSD distributions.

Microsoft Corp. and other proprietary software companies also use the
library in many programs. These companies can do so because Zlib is
licensed under liberal BSD-style license.

This isn't the first time that the popular Zlib has been the center of
a security concern. In 2002, a problem with how it handled memory
allocation became a major concern.

This time, the flaw is a buffer overflow in the decompression process.  
Because the program doesn't properly validate input data, it can be
fed bad data, which can lead to a buffer overflow.

This, in turn, means that if a user opens a file with a Zlib-enabled
application, such as a Web browser or data compression tool, which
contains specially malformed compressed data, an attacker could
execute arbitrary code as the user. If this user were running as a
system administrator the flaw would run at that level as well.

Since Zlib is so ubiquitous, this represents a serious security
concern.

It's not clear how many programs are affected, but some operating
system distributions are widely exposed. According to one source,
numerous key packages in the Fedora Core 3 distribution use Zlib.  
Symantec Corp. reports that AIX, Debian, FreeBSD, Gentoo, SuSE, Red
Hat, Ubuntu and many other operating systems are affected.

Some versions of Microsoft's DirectX, FrontPage, Internet Explorer,
Office, Visual Studio, Messenger and the Windows InstallShield
program, among other programs, also use Zlib and are potentially
vulnerable.  Microsoft is currently looking into what vulnerabilities
may exist in its software because of the Zlib problem.

As Ormandy said, "Everything from the Linux kernel to OpenSSH, Mozilla
and Internet Explorer makes use of Zlib, and any application that
understands PNG [portable network graphics] image [format] is likely
to use it."

If exploited, this flaw could lead to DoS (denial of service) attacks
on the targeted machine. This buffer overflow could also be used to
allow a hacker unaurhorized access to a system.

At this time, however, Symantec reports, there are no known exploits.

In the open-source operating systems, deploying application fixes for
this problem will tend to be straightforward. That's because in these
operating systems the Zlib library is usually linked dynamically to
applications. Thus, simply updating the operating system with the new
library will take care of the problem for most applications. On other
systems, however, and even with some open-source applications, each
application will need to be patched.

"Zlib is statically linked quite often, especially on non-Unix
platforms such as Windows; however, on Linux, BSD and [similar
operating systems] it's more conventional to use dynamic linking,
especially as Zlib is so widely used on these platforms that it
reduces lots of unnecessary duplication," explained Ormandy.

Activity at the Zlib development site has been sparse for some time,
and the main developers seem to have moved on to other projects. We
received no response to our attempts to contact the developers in time
for this story.

However, Ormandy said, "Zlib is very mature and stable, so development
is sporadic, but it's certainly not dead. Mark Adler [a Zlib
co-author] responded to my report with a patch and an in-depth
investigation and explanation within 24 hours, and I believe he
expects to release a new version of Zlib very soon."

In the meantime, many open-source operating systems already have
patches for the buffer problem. These include Debian, FreeBSD, Gentoo,
SuSE and Ubuntu.





More information about the ISN mailing list