Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Servers

    Zlib Security Bug Continues to Be Addressed

    By
    Steven J. Vaughan-Nichols
    -
    July 10, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Vendors are continuing to address a security hole in the very popular Zlib data compression library.

      Zlib is used in many third-party programs, and it is distributed with many operating systems, including most Linux and BSD distributions.

      It is also used by Microsoft and other proprietary software companies since it works well and is licensed under the Zlib/libpng license, a version of the liberal BSD license.

      Because Zlib is so widely used in the background to handle data and PNG (Portable Network Graphics) image compression in both open-source and proprietary programs, a successful attack method poses potentially serious security problems.

      A Microsoft spokesperson acknowledged that vulnerable versions of Zlib had been used in older Microsoft offerings.

      These programs included some Windows 98 and XP system files and some versions of Microsoft Office.

      So, “Microsoft is investigating new public reports of a possible vulnerability in Zlib, a widely used data compression library that may impact some Microsoft products. At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, but we are aggressively investigating the public reports.”

      So far, Microsofts “initial investigation has revealed that currently supported versions of Microsoft Windows are not at risk from this vulnerability.”

      It should be noted that only Windows XP and 2003 are currently supported. Windows 2000 support stopped on June 30.

      According to Adrian St. Onge of Whitedust Security, “This is a critical mass hole and should be taken very seriously; youre probably using a Zlib-enabled application right now. Its being reported that no exploits exist for this hole, but since its just a simple buffer overflow, itll only be a matter of moments before one is released.”

      /zimages/4/28571.gifRead more here about the Zlib security flaw.

      In the meantime, Microsoft is continuing its research. Then, “upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs.”

      Most of the major Linux distributions have already issued fixes. Red Hat Inc. published its fix on July 6, and Novell Inc.s SuSE division issued its patch on the same day.

      Only the 1.2.x versions of Zlib have the security hole. Thus, some programs and operating systems, which use versions of the program that are older, would be impacted by attacks based on the current vulnerability.

      Unfortunately, most of the earlier versions, except for 1.1.4, had a different security problem.

      The latest version of the Zlib library (Zlib 1.2.2) has not been patched yet.

      Tavis Ormandy of the Gentoo Linux Security Audit Team, who discovered the problem, said July 7 that “Mark Adler [a Zlib co-author] responded to my report with a patch and an in-depth investigation and explanation within 24 hours, and I believe he expects to release a new version of Zlib very soon.”

      /zimages/4/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Steven J. Vaughan-Nichols
      I'm editor-at-large for Ziff Davis Enterprise. That's a fancy title that means I write about whatever topic strikes my fancy or needs written about across the Ziff Davis Enterprise family of publications. You'll find most of my stories in Linux-Watch, DesktopLinux and eWEEK. Prior to becoming a technology journalist, I worked at NASA and the Department of Defense on numerous major technological projects.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×