Zlib Security Flaw Exposes Swath of Programs

The threatened Zlib compression library is used in many Linux distributions, in graphics libraries and even in Microsoft products.

A serious security flaw has been identified in Zlib, a widely used data compression library. Fixes have begun to appear, but a large number of programs could be affected.

Zlib is a data compression library that is used by many third-party programs and is distributed with many operating systems, including many Linux and BSD distributions.

Microsoft Corp. and other proprietary software companies also use the library in many programs. These companies can do so because Zlib is licensed under liberal BSD-style license.

This isnt the first time that the popular Zlib has been the center of a security concern. In 2002, a problem with how it handled memory allocation became a major concern.

This time, the flaw is a buffer overflow in the decompression process. Because the program doesnt properly validate input data, it can be fed bad data, which can lead to a buffer overflow.

This, in turn, means that if a user opens a file with a Zlib-enabled application, such as a Web browser or data compression tool, which contains specially malformed compressed data, an attacker could execute arbitrary code as the user. If this user were running as a system administrator the flaw would run at that level as well.

/zimages/3/28571.gifRead details here about open-source security tools on view at InfoSec.

The flaw was discovered by Tavis Ormandy of the Gentoo Linux Security Audit Team.

Since Zlib is so ubiquitous, this represents a serious security concern.

Its not clear how many programs are affected, but some operating system distributions are widely exposed. According to one source, numerous key packages in the Fedora Core 3 distribution use Zlib. Symantec Corp. reports that AIX, Debian, FreeBSD, Gentoo, SuSE, Red Hat, Ubuntu and many other operating systems are affected.

Some versions of Microsofts DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, among other programs, also use Zlib and are potentially vulnerable.

Microsoft is currently looking into what vulnerabilities may exist in its software because of the Zlib problem.

As Ormandy said, "Everything from the Linux kernel to OpenSSH, Mozilla and Internet Explorer makes use of Zlib, and any application that understands PNG [portable network graphics] image [format] is likely to use it."

/zimages/3/28571.gifClick here to read about vulnerabilities in two popular open-source projects, phpMyAdmin and phpBB.

If exploited, this flaw could lead to DoS (denial of service) attacks on the targeted machine. This buffer overflow could also be used to allow a hacker unaurhorized access to a system.

At this time, however, Symantec reports, there are no known exploits.

In the open-source operating systems, deploying application fixes for this problem will tend to be straightforward. Thats because in these operating systems the Zlib library is usually linked dynamically to applications. Thus, simply updating the operating system with the new library will take care of the problem for most applications. On other systems, however, and even with some open-source applications, each application will need to be patched.

"Zlib is statically linked quite often, especially on non-Unix platforms such as Windows; however, on Linux, BSD and [similar operating systems] its more conventional to use dynamic linking, especially as Zlib is so widely used on these platforms that it reduces lots of unnecessary duplication," explained Ormandy.

Activity at the Zlib development site has been sparse for some time, and the main developers seem to have moved on to other projects. We received no response to our attempts to contact the developers in time for this story.

However, Ormandy said, "Zlib is very mature and stable, so development is sporadic, but its certainly not dead. Mark Adler [a Zlib co-author] responded to my report with a patch and an in-depth investigation and explanation within 24 hours, and I believe he expects to release a new version of Zlib very soon."

In the meantime, many open-source operating systems already have patches for the buffer problem. These include Debian, FreeBSD, Gentoo, SuSE and Ubuntu.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.