[KLUG Advocacy] Re: The infamous "libz" "Open Source hole" exists on Windows!

[Bryan J. Smith]

On Fri, 2002-06-07 at 08:55, Adam Williams wrote:
> How come IE keeps haveing the same ridiculous security problems over and 
> over?

For the same reason Outlook does.  Netscape might have invented cookies
and Sendmail invented SMTP automation, but both _learned_their_lessons_
after a few slams.  IE and Outlook don't.

> I can pull up a users sessions variables, username, and *password* 
> with a simple javascript.  It happens, yes.  Complex systems, are.. well.. 
> they're complex.  But if the problem is libz I can fix or motivate someone 
> else too.  If it's IE, I wait (and wait) for the next patch, and hope.

Yep.

> But does Win32 use libz for any critical functions?  To use CABs or files 
> that need "expand" and do any real damage (to a properly configured 
> system) one need to be running with Administrator access.

Er, libz is used for a lot of user stuff too on Windows.  In newer
versions, libz is used for browsing Zip files (without PKZip/WinZip). 
But there are endless uses for libz in other areas of Windows.

> An administator who uses CABs (or what not) from unknown originals is a
> flake.  Linux on the otherhand uses libz inside privilaged process on
> a very regular basis (logrotate for example).  So maybe it isn't as
> easy (but certainly not impossible) to exploit on Win32. 

Should be the same difference in some cases since there are a number of
user processes using libz besides file archiving.

> That was never anything other than FUD.  Even most "real" Windows techs I 
> know snicker at this closed-is-better security rhetoric.

I know.

> I honestly don't think it is so much denial as they SERIOUSLY believe with 
> religious zeal, that they have no other option.  So why carry on about it,  
> thats just a fact of life (to them).  The quote I remember is "It is 
> better to be on the steam roller than in front of it" in reference to 
> supporting anything other than M$ platforms.

The problem is that Microsoft has multiple steamrollers that crash into
each other.  It's funny how different companies can have multiple
steamrollers and not do the same either, eh?

> They're is no point in arguing with that kind of attitude,  they just
> start to think YOU are the brain washed zealot.

As I always say, "I was hacking Windows NT before you even heard of
Windows for Workgroups."

> "Anything" is a bit strong, but close.

Oh, yeah -- thanx for catching that.  Not good.

> There is an exodus to GPL?  My general sense was the opposite.  Many GPL 
> projects seem to be making changes to be more BSD-ish friendly (unixODBC, 
> Asterisk, etc...)

It depends.  But there is a good movement by some projects to get to GPL
-- like WINE.

> The Pentagon isn't buying that either.  Despite Hollywood's portrayal of 
> them as warlocks in uniform,  they are a serious smart and intellectually 
> rigourous bunch of chaps (and I suppose chapletts these days).  Listening 
> to them speak, or reading stuff they write, lets one understand how the
> military can rise to power in so many nations.  Compared to them most 
> congressman are knee-jerk inarticulate ignorant bumblers.

I've known a number of mid-ranking officers with extensive educations in
my career at defense companies.  You're right, they are.

-- Bryan

-- 
The community has created the fastest, most standards-compliant
web browser with extensive popup, cookie and privacy management.
But all the IT media can talk about is how it renders MSIE-only
sites a bit rough even though MSIE on Mac cannot even view them!
----------------------------------------------------------------
Bryan J. Smith, SmithConcepts, Inc.    mailto:b.j.smith@ieee.org
Engineers and IT Professionals      http://www.SmithConcepts.com