Microsoft's borrowed code may pose risk

As reported earlier this week by CNET News.com, a flaw in the zlib software-compression library could leave much of the systems based on the open-source operating system Linux open to attack.

On Thursday, researchers reported that at least nine of Microsoft's major applications--including Microsoft Office, Internet Explorer, DirectX, Messenger and Front Page--appear to incorporate borrowed code from the compression library and could be vulnerable to a similar attack.

Microsoft representatives said that the software giant's security response team is investigating the zlib flaw and that some Microsoft applications use code from that compression library. However, the team hasn't yet determined which applications use the library and whether those applications are vulnerable.

"It's not a foregone conclusion that the applications are affected," a company representative said.

The zlib library has been a fundamental open-source software component for almost a decade and can be found in almost every Linux and Unix system. That means the so-called "double free" flaw in the library may leave a hefty portion of Linux and Unix systems open to attack. Because it adopted some of the code, Microsoft apparently has made itself vulnerable to the flaw as well.

Members of the open-source compression project, Gzip, have posted a list of nearly 600 applications that a detection program has flagged as using the zlib code. Eight Microsoft applications are included in the list: Microsoft DirectX 8, FrontPage, the next-generation Graphics Device Interface, Internet Explorer, Office, NetShow, Visual Studio and Messenger. The Windows InstallShield is also affected by the flaw.

The next-generation Graphics Device Interface is part of Windows XP, meaning that the operating system itself could be at risk.

The detection program uses three signature strings of code--and for in-depth searches, several more--found in the zlib software to determine if functions from the library are present in a specific program. For example, Microsoft's Direct X contains 18 error messages that are identical to those in zlib, said Jean-loup Gailly, the chief software architect for computer image recognition company Vision IQ and the co-creator of the zlib library.

"Microsoft is affected but may not be vulnerable," Gailly said. Depending on how the software giant wrote the other software libraries upon which zlib depends will determine whether the company's code is at risk, he added.

Companies that use code from the open-source community need to always vet the code for such insecurities, IDC analyst Dan Kusnetzky said.

"Some of the open-source products are quite well-tested and don't have very many vulnerabilities," he said. "Others aren't so well-tested, and so may have vulnerabilities that will embarrass the companies later." The zlib library's double-free flaw shows that even well-tested software can still fall prey to some of the more esoteric security problems, he added.

The license under which the zlib library is published on the Internet allows any company to use the code in any way it likes. Unlike the GNU General Public License, the library doesn't require that a company release its own source code in return.

Yet, the incident seemingly proves that Microsoft, despite dismissing open-source code publicly, has used software from others to create their own products.

This isn't the first time that Microsoft has included code from the open-source arena.

Some programmers have said that a technology, called the GS flag, which the software giant added to its newest compiler to prevent a common programming error, actually uses code from the open-source StackGuard project.

"It is debatable that Microsoft copied the StackGuard functionality," Crispin Cowan, chief scientist at server software firm Wirex Communications and the creator of StackGuard, wrote in a February e-mail to CNET News.com. "It is not debatable that the GS functionality is identical to...StackGuard."

Evidence uncovered last summer points to the Windows operating system borrowing some networking utilities and possibly parts of the TCP/IP stack, the core software that allows networking and Internet connectivity, from the open-source Unix variant FreeBSD.

Theo de Raadt, a founder and project leader for another open-source Unix variant, OpenBSD, stressed that no conclusive proof exists, however. "I have asked repeatedly and never gotten proof," he said.

Microsoft has never denied that it would use open-source software, just that its programmers are prohibited from using code based on the GNU General Public License, which could force the company to publish its own source code.

"The issue at hand is choice; companies and individuals should be able to choose either model, and we support this right," Craig Mundie, senior vice president of Microsoft, said last May. "(There) is a real problem in the licensing model that many open-source software products employ: the General Public License."

The zlib compression library doesn't use the GPL, however.

For the library, the only license requirement is that a copyright notice be included in the program source-code, if released. Microsoft, which rarely releases source code, didn't need to include the string in the company's programs, but zlib creator Gailly wishes the giant gave credit.

"It bothers me that they removed the zlib copyright string from some binary versions," he said. In the future, he added, new versions of the library may include such a requirement.