[KLUG Advocacy] Re: The infamous "libz" "Open Source hole" exists on Windows!
Bryan J. Smith
advocacy@kalamazoolinux.org
07 Jun 2002 09:18:48 -0400
On Fri, 2002-06-07 at 08:55, Adam Williams wrote:
> How come IE keeps haveing the same ridiculous security problems over and
> over?
For the same reason Outlook does. Netscape might have invented cookies
and Sendmail invented SMTP automation, but both _learned_their_lessons_
after a few slams. IE and Outlook don't.
> I can pull up a users sessions variables, username, and *password*
> with a simple javascript. It happens, yes. Complex systems, are.. well..
> they're complex. But if the problem is libz I can fix or motivate someone
> else too. If it's IE, I wait (and wait) for the next patch, and hope.
Yep.
> But does Win32 use libz for any critical functions? To use CABs or files
> that need "expand" and do any real damage (to a properly configured
> system) one need to be running with Administrator access.
Er, libz is used for a lot of user stuff too on Windows. In newer
versions, libz is used for browsing Zip files (without PKZip/WinZip).
But there are endless uses for libz in other areas of Windows.
> An administator who uses CABs (or what not) from unknown originals is a
> flake. Linux on the otherhand uses libz inside privilaged process on
> a very regular basis (logrotate for example). So maybe it isn't as
> easy (but certainly not impossible) to exploit on Win32.
Should be the same difference in some cases since there are a number of
user processes using libz besides file archiving.
> That was never anything other than FUD. Even most "real" Windows techs I
> know snicker at this closed-is-better security rhetoric.
I know.
> I honestly don't think it is so much denial as they SERIOUSLY believe with
> religious zeal, that they have no other option. So why carry on about it,
> thats just a fact of life (to them). The quote I remember is "It is
> better to be on the steam roller than in front of it" in reference to
> supporting anything other than M$ platforms.
The problem is that Microsoft has multiple steamrollers that crash into
each other. It's funny how different companies can have multiple
steamrollers and not do the same either, eh?
> They're is no point in arguing with that kind of attitude, they just
> start to think YOU are the brain washed zealot.
As I always say, "I was hacking Windows NT before you even heard of
Windows for Workgroups."
> "Anything" is a bit strong, but close.
Oh, yeah -- thanx for catching that. Not good.
> There is an exodus to GPL? My general sense was the opposite. Many GPL
> projects seem to be making changes to be more BSD-ish friendly (unixODBC,
> Asterisk, etc...)
It depends. But there is a good movement by some projects to get to GPL
-- like WINE.
> The Pentagon isn't buying that either. Despite Hollywood's portrayal of
> them as warlocks in uniform, they are a serious smart and intellectually
> rigourous bunch of chaps (and I suppose chapletts these days). Listening
> to them speak, or reading stuff they write, lets one understand how the
> military can rise to power in so many nations. Compared to them most
> congressman are knee-jerk inarticulate ignorant bumblers.
I've known a number of mid-ranking officers with extensive educations in
my career at defense companies. You're right, they are.
-- Bryan
--
The community has created the fastest, most standards-compliant
web browser with extensive popup, cookie and privacy management.
But all the IT media can talk about is how it renders MSIE-only
sites a bit rough even though MSIE on Mac cannot even view them!
----------------------------------------------------------------
Bryan J. Smith, SmithConcepts, Inc. mailto:b.j.smith@ieee.org
Engineers and IT Professionals http://www.SmithConcepts.com