Zlib is a data compression library that is used by many third-party programs and is distributed with many operating systems, including many Linux and BSD distributions.
Microsoft Corp. and other proprietary software companies also use the library in many programs. These companies can do so because Zlib is licensed under liberal BSD-style license.
This isnt the first time that the popular Zlib has been the center of a security concern. In 2002, a problem with how it handled memory allocation became a major concern.
This time, the flaw is a buffer overflow in the decompression process. Because the program doesnt properly validate input data, it can be fed bad data, which can lead to a buffer overflow.
This, in turn, means that if a user opens a file with a Zlib-enabled application, such as a Web browser or data compression tool, which contains specially malformed compressed data, an attacker could execute arbitrary code as the user. If this user were running as a system administrator the flaw would run at that level as well.
The flaw was discovered by Tavis Ormandy of the Gentoo Linux Security Audit Team.
Since Zlib is so ubiquitous, this represents a serious security concern.
Its not clear how many programs are affected, but some operating system distributions are widely exposed. According to one source, numerous key packages in the Fedora Core 3 distribution use Zlib. Symantec Corp. reports that AIX, Debian, FreeBSD, Gentoo, SuSE, Red Hat, Ubuntu and many other operating systems are affected.
Some versions of Microsofts DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, among other programs, also use Zlib and are potentially vulnerable.
Microsoft is currently looking into what vulnerabilities may exist in its software because of the Zlib problem.
As Ormandy said, "Everything from the Linux kernel to OpenSSH, Mozilla and Internet Explorer makes use of Zlib, and any application that understands PNG [portable network graphics] image [format] is likely to use it."
If exploited, this flaw could lead to DoS (denial of service) attacks on the targeted machine. This buffer overflow could also be used to allow a hacker unaurhorized access to a system.
At this time, however, Symantec reports, there are no known exploits.
In the open-source operating systems, deploying application fixes for this problem will tend to be straightforward. Thats because in these operating systems the Zlib library is usually linked dynamically to applications. Thus, simply updating the operating system with the new library will take care of the problem for most applications. On other systems, however, and even with some open-source applications, each application will need to be patched.
"Zlib is statically linked quite often, especially on non-Unix platforms such as Windows; however, on Linux, BSD and [similar operating systems] its more conventional to use dynamic linking, especially as Zlib is so widely used on these platforms that it reduces lots of unnecessary duplication," explained Ormandy.
Activity at the Zlib development site has been sparse for some time, and the main developers seem to have moved on to other projects. We received no response to our attempts to contact the developers in time for this story.
However, Ormandy said, "Zlib is very mature and stable, so development is sporadic, but its certainly not dead. Mark Adler [a Zlib co-author] responded to my report with a patch and an in-depth investigation and explanation within 24 hours, and I believe he expects to release a new version of Zlib very soon."