TechSpot

Visiting secunia psi scanning for security updates

By BillAllen55
Jul 6, 2008
  1. I have used sucunia security update to scan for program update packages.
    In the last few visits (up untill now) I've been sucessful in updating my security patches. Currently I'm struggling with a patch intittled 'zlib'
    The first referenced 'unsafe' program is my 2003b version of ICQ. My other program showing as having an outdated version of the 'zlib' is the latest version of AOL 9.1. :-( When going to the listed download sight to update the security patch. It provides me with a web page http://www.zlib.net/ which after researching the website have concluded there is no way to find an update at this site. Can ANYONE help?
     
  2. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Visiting sucunia psi scanning for security updates

    Bump I have used sucunia security update to scan for program update packages.
    In the last few visits (up untill now) I've been sucessful in updating my security patches. Currently I'm struggling with a patch intittled 'zlib'
    The first referenced 'unsafe' program is my 2003b version of ICQ. My other program showing as having an outdated version of the 'zlib' is the latest version of AOL 9.1. :-( When going to the listed download sight to update the security patch. It provides me with a web page http://www.zlib.net/ which after researching the website have concluded there is no way to find an update at this site. Can ANYONE help?
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The URL appears to be incorrect:

    The current release is publicly available here: http://zlib.net/

    NOTE: There is 'no' www.
     
  4. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Secunia security update

    The corrected address (which I appreciate you researching) gives no more information as to how to update the zlib patch than what I found on the first website.
    I'm wondering what the zlib patch is all about? If this is something that I should concern myself with? Or is it better to put it to bed and stop spending time researching some a ellusive update?
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Bill, I have the Secunia program also. Keep in mind that it is still a Beta program. If the information can't be found for this process, I would do one of four things:

    1. Look for an update to the 2003b version of ICQ.
    2. Check Add/Remove Programs> uninstall
    3. Search you system for it and delete all files
    4. Ignore the Secunia find.
     
  6. jobeard

    jobeard TS Ambassador Posts: 9,343   +622

    ZLIB is a dynamically loaded library that is frequently imbedded in OEM software.

    searching my system, the only copy is associated with a Cygwin environment
    which has Python2.5 installed which I don't even use.

    Yes Zilb needs a patch; but if you don't load that dll, then who cares :)
     
  7. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    The point of my question was to learn if there was a process that I was missing in updating the zlib files that have been reported as being in need of security updates. The ICQ 2003b is used by the wife and is non negotiable as to changing the version of the program. (that was my initial thought to upgrade)
    The other program that is being reported as needed an security is AOL 9.1 (which is as well a non negotiable program)
    Sure am going to miss my wife :) haha
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Current v9.1 of AOL is here: http://daol.aol.com/software/91

    Information on that here:
    AOL ICQ Pro 2003b heap overflow vulnerability:
    http://www.coresecurity.com/?action=item&id=1509

    Getting updates doesn't mean you change the program which you say is unacceptable. These updates are most often issued to plug a vulnerability in a program. However, be advised that many who did get the AOL v9.1 had problems with it and eventually removed it.

    http://journals.aol.com/websuiteblo...res-why-you-should-upgrade/324?numComment=all
     
  9. jobeard

    jobeard TS Ambassador Posts: 9,343   +622

    What do you mean 'non-negotiable'? You're licensed for a given copy, and usually
    any updates come free, but ZLIB is a DLL and loaded when your program begins.
    Any program needing ZLIB.DLL will not even know the change or update took place.
    However, there are some programs that imbed zilb within their own module and that would require a total program update.

    Most of my exposure to zlib is thru Unix, Linux, or such emulation and these have
    standard procedures for updates, eg: RPM package manager.
     
  10. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    Total program updates

    What I meant by non negotiable is that my wife will not entertain the idea of changing the version of her beloved 2003b ICQ. (thus the reference to missing my wife haha) The other reference to not being able to update AOL 9.1 is that I was advised by AOL there is no update available to address this dll issue.
    If you know of a process or where I might find an update for the zlib drivers for either or both programs that would be greatly appreciated. My frustration with this discussion is that most that reply seem to think this is not a issue worth considering and yet Secunia has listed two different occurrences (both referenced programs) as being worth being titled as being 'insecure' programs.
    Your thoughts?
     
  11. jobeard

    jobeard TS Ambassador Posts: 9,343   +622

    Well, it CAN BE an issue -- like all security issues, it's not a problem until YOU get hit.

    Sadly, ICQ and AOL will expose issues easily, so it would be worth the effort (imo)
    to look for a new zlib.dll.

    Step one: Where is it on your system?

    The most likely locations will be
    1. the directory where your program is stored (icq + aol)
    2. \windows
    3. \windows\system32

    If you can't locate it then -- it must be statically imbedded in the programs and
    your 'non-negotiable' issue is in control :haha: :sadly:

    If you find one, get the properties and from that the version.

    now google for just zlib.dll and find a copy that's at least +1 on the version
     
  12. BillAllen55

    BillAllen55 TS Maniac Topic Starter Posts: 368

    The Zlib driver was located.

    I located the zlib driver. Was able to determine the driver version. I went to google and downloaded the updated version. THAT much I have accomplished.

    I'm not clear as to what the next process should be?
    I intially thought your direction was to find the zlib.dll then determine what version would be needed as an update. Then to d/l the correct updated version and replace the new driver version with the old version in which Secunia was reporting as being insecure.
    Well guess what - this was done without sucess.
    updated version of the zlib replacing the current version of the zlib file.

    To further muddy the waters after replacing the zlib file in the listed program and then scanning the program with Secunia - Secunia is happy as a spotted dog in a mud puddle.(did not show there was any security issues with modified programs) Only problem is that the program will not engage with the new zlib file in place.
    When returning the program to its original zlib.dll version the program then will engage just as always.

    Your thoughts?
     
  13. jobeard

    jobeard TS Ambassador Posts: 9,343   +622

    LOL, :haha: just amazing. (not laughing AT you, but with you!)

    you just gota love this stuff.

    may I suggest a (large frustration) hammer?

    man, you got me! can only suggest;
    1- get a different DL version
    2- punt :(
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...