A security flaw in open-source software used by Linux and Unix systems for compression may affect some Microsoft products that also use the code.
As reported earlier this week, a flaw in the zlib software-compression library could leave much of the systems based on the open-source operating system Linux open to attack.
On Thursday, researchers reported that at least nine of Microsoft's major applications -- including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page -- appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.
Microsoft representatives said that the software giant's security response team is investigating the zlib flaw and that some Microsoft applications use code from that compression library. However, the team hasn't yet determined which applications use the library and whether those applications are vulnerable.
"It's not a foregone conclusion that the applications are affected," a company representative said.
Members of the open-source compression project, Gzip, have posted a list of nearly 600 applications that a detection program has flagged as using the zlib code. Nine Microsoft applications are included in the list: Microsoft DirectX 8, FrontPage, the next-generation Graphics Device Interface (part of Windows XP, meaning that the operating system itself could be at risk), InstallShield, Internet Explorer, Office, NetShow, Visual Studio and Messenger.
The detection program uses three signature strings of code - and for in-depth searches, several more - found in the zlib software to determine if functions from the library are present in a specific program.
For example, Microsoft's Direct X contains 18 error messages that are identical to those in zlib, said Jean-loup Gailly, the chief software architect for computer image recognition company Vision IQ and the co-creator of the zlib library.
"Microsoft is affected but may not be vulnerable," Gailly said. Depending on how the software giant wrote the other software libraries upon which zlib depends will determine whether the company's code is at risk, he added.
News source: CNet News
View: GZIP - partial list of applications and libraries using zlib, directly or indirectly
As reported earlier this week, a flaw in the zlib software-compression library could leave much of the systems based on the open-source operating system Linux open to attack.
On Thursday, researchers reported that at least nine of Microsoft's major applications -- including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page -- appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.
Microsoft representatives said that the software giant's security response team is investigating the zlib flaw and that some Microsoft applications use code from that compression library. However, the team hasn't yet determined which applications use the library and whether those applications are vulnerable.
"It's not a foregone conclusion that the applications are affected," a company representative said.
Members of the open-source compression project, Gzip, have posted a list of nearly 600 applications that a detection program has flagged as using the zlib code. Nine Microsoft applications are included in the list: Microsoft DirectX 8, FrontPage, the next-generation Graphics Device Interface (part of Windows XP, meaning that the operating system itself could be at risk), InstallShield, Internet Explorer, Office, NetShow, Visual Studio and Messenger.
The detection program uses three signature strings of code - and for in-depth searches, several more - found in the zlib software to determine if functions from the library are present in a specific program.
For example, Microsoft's Direct X contains 18 error messages that are identical to those in zlib, said Jean-loup Gailly, the chief software architect for computer image recognition company Vision IQ and the co-creator of the zlib library.
"Microsoft is affected but may not be vulnerable," Gailly said. Depending on how the software giant wrote the other software libraries upon which zlib depends will determine whether the company's code is at risk, he added.
News source: CNet News View: GZIP - partial list of applications and libraries using zlib, directly or indirectly
But after successfully testing his technique for friends on other cable modem services - and studying further the specifications for DOCSIS, the standard interface used by most cable modem manufacturers - Hallacy decided he had uncovered a bona fide security vulnerability.
This week, Hallacy submitted a description of his technique to two e-mail discussion lists run by SecurityFocus.com that are read by thousands of computer security aficionados.
But the description by Hallacy may be the most specific ever posted to such a public forum. And experts said his claim that not only AT&T but also some Comcast and Time Warner cable systems are vulnerable, may spur operators to make changes to their networks - or risk similar poking and prodding by other networking gurus.
In some instances, the technique could potentially be exploited even to take control of a cable ISP's gateway computers, alter their network routing, and shift large amounts of traffic to a specified destination, Hallacy claimed.
Dave Ahmad, moderator of the Bugtraq security mailing list, said he did not immediately approve Hallacy's submission because it described "how to evade (cable operators') service restrictions" and because he was "not sure what the benefit was to the community. Who is at risk if the information is not made public?"
Ahmad posted his comments, along with Hallacy's advisory, in a message Tuesday to the Vuln-Dev list, which published a pared back version of Hallacy's report on Monday.
Hallacy said he debated the morality of publishing his hacking instructions, but finally decided to do so as "a little bit of a smack in cable companies' direction. People are exploiting this. It's one of the reasons there's not enough bandwidth on some nodes, and they need to fix it."
News source: Newsbytes View: Original submission on Bugtraq's vuln-dev mailing list (by Dave Ahmad)
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.