Microsoft's borrowed code may pose risk with zlib compression library

A security flaw in open-source software used by Linux and Unix systems for compression may affect some Microsoft products that also use the code.

As reported earlier this week, a flaw in the zlib software-compression library could leave much of the systems based on the open-source operating system Linux open to attack.

On Thursday, researchers reported that at least nine of Microsoft's major applications -- including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page -- appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

Microsoft representatives said that the software giant's security response team is investigating the zlib flaw and that some Microsoft applications use code from that compression library. However, the team hasn't yet determined which applications use the library and whether those applications are vulnerable.

"It's not a foregone conclusion that the applications are affected," a company representative said.

Members of the open-source compression project, Gzip, have posted a list of nearly 600 applications that a detection program has flagged as using the zlib code. Nine Microsoft applications are included in the list: Microsoft DirectX 8, FrontPage, the next-generation Graphics Device Interface (part of Windows XP, meaning that the operating system itself could be at risk), InstallShield, Internet Explorer, Office, NetShow, Visual Studio and Messenger.

The detection program uses three signature strings of code - and for in-depth searches, several more - found in the zlib software to determine if functions from the library are present in a specific program.

For example, Microsoft's Direct X contains 18 error messages that are identical to those in zlib, said Jean-loup Gailly, the chief software architect for computer image recognition company Vision IQ and the co-creator of the zlib library.

"Microsoft is affected but may not be vulnerable," Gailly said. Depending on how the software giant wrote the other software libraries upon which zlib depends will determine whether the company's code is at risk, he added.

News source: CNet News

View: GZIP - partial list of applications and libraries using zlib, directly or indirectly

Previous Story
Cable modem hacking tricks uncapped online
Next Story
eBay stumbles with outage