PDA

View Full Version : InstallShield and the zlib security flaw



Tim Owers
07-14-2005, 06:36 AM
InstallShield is mentioned in numerous articles released since 06-July-05 relating to the zlib (http://www.zlib.net) security flaw.
Has or can InstallShield comment on this?

http://www.eweek.com/article2/0%2C1895%2C1834632%2C00.asp

MichaelU
07-14-2005, 10:09 AM
This should not be taken as an official response; it instead comes from my personal understandings (and misunderstandings) of security issues in general. This represents my personal views and not necessarily those of my employer.

I wouldn't be too worried about InstallShield (the setup authoring program) or the setups it creates. Here's why: Normal zlib data doesn't cause problems. In order to potentially exploit the vulnerability in zlib, one has to specially craft the item. InstallShield operates with files you trust. Whether it's the authoring (you know where every file came from), or the installing (you've decided to trust a program called setup.exe because you trust its source), it's a known quantity.

Where the zlib vulnerability has the potential to be a problem is when you're working with data you don't trust, yet are used to it being harmless. Untrusted data is really common in web browsing and email attachments. Images and Word Documents and many other data files used to be thought of as harmless. F/OSS developers tend to be very proactive about avoiding these problems, so they make it easy to infer a greater risk than necessarily applies to a given situation.

So is it good to be aware of the zlib vulnerability? Yes. If InstallShield is vulnerable (I don't know myself), would it be good for us to address this? Sure. Would I be worried about some malicious computer user out there using InstallShield 11 to take control of my machine? Not at all.

Tim Owers
07-14-2005, 10:37 AM
Michael,

Thankyou for taking the time to reply and for your reassurances.
I would suggest though, that Rick Harold (being CTO) really ought to make an official comment via InstallShields web site. After all, word is spreading fast about the apparent enormity of the situation and how quickly companies such as Microsoft respond to the situation. The following was issued by Microsoft...

"Microsoft is investigating new public reports of a possible vulnerability in Zlib, a widely used data compression library that may impact some Microsoft products. At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, but we are aggressively investigating the public reports."...so it would seem appropriate for a company with a user base as large as InstallShields to follow suite.

Regards,
Tim Owers.