Security threats Toolkit

Library flaw puts applications at risk

Joris Evers CNET News.com

Published: 08 Jul 2005 09:15 BST

A security flaw in a widely-used data compression technology could put many software programs at risk of attack, experts have warned.

The buffer overflow vulnerability exists in the open-source "zlib" component, Secunia said in an alert published on Thursday. Using a specially crafted file, an attacker could take control over a computer or crash applications that use zlib, the security monitoring company said.

The process is used in a large number of open source and proprietary software applications to compress and decompress data, and it ships with many Linux and BSD distributions. Zlib is described as "something of a de facto standard" by Wikipedia, the community-based online encyclopaedia.

"Just about everything uses zlib, from Xbox games consoles and mobile phones to OpenSSH, so the potential impact is very high," Tavis Ormandy of the Gentoo Linux security audit team wrote in an e-mail interview. Ormandy is credited with discovering the vulnerability.

The flaw has been reported in version 1.2.2 of zlib, Secunia said, and earlier versions may also be affected.

Secunia rates the problem "highly critical", one notch below its highest risk rating, because there is no known exploit. The French Security Incident Response Team deemed it "critical", its most serious rating, in its advisory.

Assessing the impact
The security vulnerability may affect many applications, but the potential impact is not simple to calculate, said Michael Sutton, a lab director at security company iDefense. "The exploitability may also depend on how the library was implemented, so we can't assume that all applications using zlib are immediately vulnerable," he said.

It won't be an easy task to exploit the vulnerability to run code on a victim's device or computer, Ormandy said. However, it is not hard to make applications crash, he noted. "We have some test cases that trigger the bug via images or browsers that use zlib," Ormandy said.

An update to zlib, version 1.2.3, is being prepared and tested for release to eliminate this vulnerability, Mark Adler, co-creator of the compression library, said in an e-mail to ZDNet UK sister site CNET News.com.

Fixes are already available for several Linux releases, including SuSE, Red Hat, Gentoo, Ubuntu, Mandriva and Debian, according to the Secunia Web site. An update is also available for FreeBSD, it said.

Microsoft is still looking into the issue, a company representative said. "Initial investigation has revealed that currently supported versions of Microsoft Windows are not at risk from this vulnerability," the representative said. Microsoft has used zlib in programs such as Office, MSN Messenger and Internet Explorer, according to a list of applications that use the component posted by the zlib developers group on its Web site.

This is not the first flaw in zlib. Last year, a denial-of-service vulnerability was reported in the compression component, and three years ago, a problem in zlib memory-management functions raised concerns for remote attacks.