Zlib Security Bug Continues to Be Addressed

Zlib is used in many third-party programs, and it is distributed with many operating systems, including most Linux and BSD distributions.

It is also used by Microsoft and other proprietary software companies since it works well and is licensed under the Zlib/libpng license, a version of the liberal BSD license.

Because Zlib is so widely used in the background to handle data and PNG (Portable Network Graphics) image compression in both open-source and proprietary programs, a successful attack method poses potentially serious security problems.

A Microsoft spokesperson acknowledged that vulnerable versions of Zlib had been used in older Microsoft offerings.

These programs included some Windows 98 and XP system files and some versions of Microsoft Office.

So, "Microsoft is investigating new public reports of a possible vulnerability in Zlib, a widely used data compression library that may impact some Microsoft products. At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, but we are aggressively investigating the public reports."

So far, Microsofts "initial investigation has revealed that currently supported versions of Microsoft Windows are not at risk from this vulnerability."

It should be noted that only Windows XP and 2003 are currently supported. Windows 2000 support stopped on June 30.

According to Adrian St. Onge of Whitedust Security, "This is a critical mass hole and should be taken very seriously; youre probably using a Zlib-enabled application right now. Its being reported that no exploits exist for this hole, but since its just a simple buffer overflow, itll only be a matter of moments before one is released."

Read more here about the Zlib security flaw.

In the meantime, Microsoft is continuing its research. Then, "upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."

Most of the major Linux distributions have already issued fixes. Red Hat Inc. published its fix on July 6, and Novell Inc.s SuSE division issued its patch on the same day.

Only the 1.2.x versions of Zlib have the security hole. Thus, some programs and operating systems, which use versions of the program that are older, would be impacted by attacks based on the current vulnerability.

Unfortunately, most of the earlier versions, except for 1.1.4, had a different security problem.

The latest version of the Zlib library (Zlib 1.2.2) has not been patched yet.

Tavis Ormandy of the Gentoo Linux Security Audit Team, who discovered the problem, said July 7 that "Mark Adler [a Zlib co-author] responded to my report with a patch and an in-depth investigation and explanation within 24 hours, and I believe he expects to release a new version of Zlib very soon."

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.