Microsoft's borrowed code may pose risk

CNET ^ | 03/14/2002 | Robert Lemos

[HamiltonJay]

Microsoft's borrowed code may pose risk

By

Robert Lemos

Staff Writer, CNET News.com

March 14, 2002, 12:05 PM PT

A security flaw in open-source software used by Linux and Unix systems for compression may affect some Microsoft products that also use the code.

As reported earlier this week by CNET News.com, a flaw in the zlib software-compression library could leave much of the systems based on the open-source operating system Linux open to attack.

On Thursday, the researchers who discovered the flaw reported that at least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

Microsoft representatives said that the software giant's security response team is investigating the zlib flaw and that some Microsoft applications use code from that compression library. However, the team hasn't yet determined which applications use the library and whether those applications are vulnerable.

"It's not a foregone conclusion that the applications are affected," a company representative said.

The zlib library has been a fundamental open-source software component for almost a decade and can be found in almost every Linux and Unix system. That means the so-called "double free" flaw in the library may leave a hefty portion of Linux and Unix systems open to attack. Because it adopted some of the code, Microsoft apparently has made itself vulnerable to the flaw as well.

Members of the open-source compression project, Gzip, have posted a list of nearly 600 applications that a detection program has flagged as using the zlib code. Nine Microsoft applications are included in the list: Microsoft DirectX 8, FrontPage, the next-generation Graphics Device Interface, InstallShield, Internet Explorer, Office, NetShow, Visual Studio and Messenger.

The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.

The detection program uses three signature strings of code--and for in-depth searches, several more--found in the zlib software to determine if functions from the library are present in a specific program. For example, Microsoft's Direct X contains 18 error messages that are identical to those in zlib, said Jean-loup Gailly, the chief software architect for computer image recognition company Vision IQ and the co-creator of the zlib library.

"Microsoft is affected but may not be vulnerable," Gailly said. Depending on how the software giant wrote the other software libraries upon which zlib depends will determine whether the company's code is at risk, he added.

Companies that use code from the open-source community need to always vet the code for such insecurities, IDC analyst Dan Kusnetzky said.

"Some of the open-source products are quite well-tested and don't have very many vulnerabilities," he said. "Others aren't so well-tested, and so may have vulnerabilities that will embarrass the companies later." The zlib library's double-free flaw shows that even well-tested software can still fall prey to some of the more esoteric security problems, he added.

The license under which the zlib library is published on the Internet allows any company to use the code in any way it likes. Unlike the GNU General Public License, the library doesn't require that a company release its own source code in return.

Yet, the incident seemingly proves that Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products.

This isn't the first time that Microsoft has co-opted code from the open-source arena.

Some programmers have said that a technology, called the GS flag, which the software giant added to its newest compiler to prevent a common programming error, actually uses code from the open-source StackGuard project.

"It is debatable that Microsoft copied the StackGuard functionality," Crispin Cowan, chief scientist at server software firm Wirex Communications and the creator of StackGuard, wrote in a February e-mail to CNET News.com. "It is not debatable that the GS functionality is identical to...StackGuard."

Evidence uncovered last summer points to the Windows operating system borrowing some networking utilities and possibly parts of the TCP/IP stack, the core software that allows networking and Internet connectivity, from the open-source Unix variant FreeBSD.

Theo de Raadt, a founder and project leader for another open-source Unix variant, OpenBSD, stressed that no conclusive proof exists, however. "I have asked repeatedly and never gotten proof," he said.

Microsoft has never denied that it would use open-source software, just that its programmers are prohibited from using code based on the GNU General Public License, which could force the company to publish its own source code.

"The issue at hand is choice; companies and individuals should be able to choose either model, and we support this right," Craig Mundie, senior vice president of Microsoft, said last May. "(There) is a real problem in the licensing model that many open-source software products employ: the General Public License."

The zlib compression library doesn't use the GPL, however.

For the library, the only license requirement is that a copyright notice be included in the program source-code, if released. Microsoft, which rarely releases source code, didn't need to include the string in the company's programs, but zlib creator Gailly wishes the giant gave credit.

"It bothers me that they removed the zlib copyright string from some binary versions," he said. In the future, he added, new versions of the library may include such a requirement.

[HamiltonJay]

All their bashing of open source, yet they use it in their products... gotta love Microsoft...

[Dimensio]

I thought that because Windows executable interpreter is designed to prevent double-free bugs that it wouldn't be affected by the zlib bug (same with BSD). Anyone have more facts in this issue?

[bwteim]

Ping

[ThinkDifferent]

I believe you're right. If I compile and run this code on Mac OS X (which is based on BSD):

  char *buffer;
  printf("Allocating buffer\n");
  buffer = (char *)malloc(8*sizeof(char));
  printf("Freeing buffer\n");
  free(buffer);
  printf("Freeing buffer again\n");
  free(buffer);

I get this output:

Allocating buffer
Freeing buffer
Freeing buffer again
*** malloc[20332]: Deallocation of a pointer not malloced: 
0x442f0; This could be a double free(), or free() called 
with the middle of an allocated block; Try setting 
environment variable MallocHelp to see tools to help debug

One of our Windows friends should be able to do a similar test to verify that it catches the bug too.

[Common Tator]

Microsoft uses a lot of public domain code done in colleges and universities. They used a lot of BSD UNIX code.

Back in 1999 I wrote the first versions of the DNS Resolver, SMTP server, POP3 Server, and IMAP4 Server components that are now included with Delphi 6.

The TCP stack in windows was nearly identicial to the BSD Unix stack with just the changes mandated by the differences in the UNIX and Windows C compilers. Revese engineering it in order to program to it, consisted of printng out the BSD code.

You know what they say,

Good programmers write great code. Great programers steal it.

[sigSEGV]

Tried it with the Cygwin API wrapper dll, which I believe just hands its own malloc and free calls off to the Windows API, and it didn't segfault or report any errors. I'll have to try it under VC++ at home.

[lelio]

Evidence uncovered last summer points to the Windows operating system borrowing some networking utilities
Last summer? I thought this was a well known fact that Windows's TCP/IP stack was stolen from BSD. The BSD license, however, permits this.
Too bad the zlib team didn't GPL their work, I would love to see MS try and squirm out of it.

[KayEyeDoubleDee]

Microsoft has never denied that it would use open-source software, just that its programmers are prohibited from using code based on the GNU General Public License, which could force the company to publish its own source code.

[lelio]

My results of your code:
Linux: Segmentation fault (core dumped)
FreeBSD: a.out in free(): warning: page is already free.
WIn XP: doesn't say anything. Maybe StackGuard caught it.

[mykej]

Blows up in 2k. "The instruction at "xxx" referenced memory at "xxx". The memory could not be "read"."

[Naspino]

boo hoo...

[js1138]

*** malloc[20332]: Deallocation of a pointer not malloced: 0x442f0; This could be a double free(), or free() called with the middle of an allocated block; Try setting environment variable MallocHelp to see tools to help debug

I'm sure all Mac users know what this means and how to deal with it.

[KayEyeDoubleDee]

On every Unix-like system (with the exception of VxWorks) I've ever known, a double free causes a seg fault. Okay, so everything which links against this library potentially has this problematic code path. It seems to me that the worst a hacker can do is find something (say an image) which, during compression/decompression by a particular process, causes the double freeing code path in the library to be executed. Joe Hacker sends this over and over and some application keeps segfaulting? Big deal. Is there something I'm missing here? I mean, its not as if 'inetd' or something like that would crash, it would be something like Netscape.

[lelio]

I'm sure all Mac users know what this means and how to deal with it.
The smiley / frowny Mac icon that comes up just had his shoulders shruggled and said "Well what are you going to do?"

[js1138]

I prefer the old PC boot error that says "Keyboard not detected, press F1 to continue".

Best error message ever.

[lelio]

Joe Hacker sends this over and over and some application keeps segfaulting?
Could be used to DoS the box perhaps. What happens if you have a program that pulls down data from remote sites like a newsfeed, and that data is compressed and has a double free bug in it? Well your app seg faults and then it probably dies (can you catch those?), which annoys you and you have to restart the app.
I'm sure someone will come up with an example soon ;)

[sigSEGV]

When an application segfaults, it means it is reading an area of memory outside the protected memory space of the currently running program. Generally it's because a part of memory was overwritten in the program that should not have. If the part overwritten is read as a pointer to an area of memory outside the allowed area of the program, it segfaults. If you have a way of controlling the bogus data that gets inserted into memory, you can make the program jump to other data you have inserted, which could contain executable machine language code of your choosing -- which could be bad...