Multiple Linux, Microsoft products affected by zlib flaw A variety of Linux distributions and even some Microsoft...
products are potentially threatened by a flaw in the zlib data-compression library, Danish security firm Secunia said in an advisory. Attackers could exploit the security hole to cause a denial of service or launch malicious code.
"The vulnerability is caused due to a boundary error in 'inftrees.c' when handling corrupted compressed data streams," Secunia said. "This can be exploited to crash any application that uses the zlib library, or potentially to execute arbitrary code with privileges of the vulnerable application."
Secunia confirmed the flaw in version 1.2.2 and said earlier versions may also be affected. Several Linux distributions -- Red Hat, Gentoo, SUSE, Debian, FreeBSD and Ubuntu -- have already updated their programs.
Microsoft products implementing zlib include DirectX, FrontPage, Internet Explorer, Office, Visual Studio and Windows Messenger.
Microsoft outlines workarounds for new IE flaw
Microsoft has recommended some workarounds to guard against a new vulnerability in Internet Explorer.
The problem, reported by Vienna-based SEC Consult, is that Internet Explorer doesn't properly instantiate the javaprxy.dll COM object. Malicious Web sites can exploit this to corrupt memory on vulnerable machines. Attackers could also use the flaw to launch malicious code.
Danish Security firm Secunia has rated the vulnerability "extremely critical" because exploit code is publicly available "The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0, Microsoft VM (virtual machine) build 3802 and Microsoft Windows XP SP2," Secunia said in an advisory. "Internet Explorer 5.01 and 5.5 is reportedly also affected."
Microsoft recommends users set their Internet and local intranet security zone settings to "High." Users can also unregister, disable or restrict access to the javaprxy.dll COM object, though this could affect functionality.
At this point, Microsoft said, "We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time, but we are aggressively investigating the public report."
This article originally appeared on SearchSecurity.com.