Logo
My Account |  Site Map | Contact Us  
Welcome Guest Search | Active Topics | Sign In | Register

EO.Browser for WPF Application Options
bnymellon
Posted: Thursday, November 12, 2020 8:58:45 AM
Rank: Member
Groups: Member

Joined: 3/10/2020
Posts: 24
We are using the EOWebbrowser.net dlls to load web pages in WPF application.
We have a security finding the EO dll uses lower version zlib libraries.

We are using 20.0.53.0 versions of the EO dlls. Can you please confirm if you have upgraded version which uses non-vulnerable version of zlib dll.
eo_support
Posted: Thursday, November 12, 2020 9:30:22 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,966
Hi,

Our DLLs does not depends or use any unmanaged DLLs. We do automatically uncompress the browser engine code in memory, which might triggers the false alarm. So you can ignore this alert.

Thanks!
bnymellon
Posted: Monday, November 23, 2020 8:41:39 AM
Rank: Member
Groups: Member

Joined: 3/10/2020
Posts: 24
We worked with the security team and they provided us steps to recreate. From the below it appears the older version of zlib libraries are referred in eowp.exe. Please advise.

Steps to Reproduce:
1. Install EO application in windows
2. Copy the entire application folder from
Windows into Linux, OR install grep and strings
for Windows
3. Run the following command inside the EO
application
grep -r libpng .
4. run strings on each of the results with the
following command
cat <filename>| grep libpng
5. Observe the versions that are returned
6. Run the following command
for A in `grep -lr Mark\ Adler`; do echo $A;
strings $A | grep Adler; done ;
7. Observe the line with the keywords deflate and
inflate
8. Compare these lines to the zlib opensource code

eo_support
Posted: Monday, November 23, 2020 10:32:25 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,966
Hi,

Thanks for the additional information. We do have code that are based on open source zlib's source code, that's why you see some "signatures" of zlib in our code. However:

1. We do NOT directly reference a specific version of zlib;
2. The unzip code we use are for unziping embedded browser engine code only. No other input are used by that code;

We will review and update this portion of code in our next release, which should be available in January.

Thanks!
bnymellon
Posted: Monday, January 11, 2021 7:36:03 AM
Rank: Member
Groups: Member

Joined: 3/10/2020
Posts: 24
Can you please let us know the release date in January.

Thanks
eo_support
Posted: Monday, January 11, 2021 10:16:51 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,966
Hi,

We have already reviewed and updated this part in our current build. Please keep in mind that you can not simply search for some signatures to conclude that the version used is not secure. After our review, we have concluded two places where zlib based code are used and both have been updated.

1. When we dynamically unzip and load the browser engine code as previously mentioned;
2. Our product is based on Google's Chromium project, and Chromium also uses zlib:

https://source.chromium.org/chromium/chromium/src/+/master:third_party/zlib/

As a result, you will always find zlib signatures in the final binary. We expect to update this again in the future to stay up to date with newer versions.

Thanks!
bnymellon
Posted: Friday, February 5, 2021 6:47:36 AM
Rank: Member
Groups: Member

Joined: 3/10/2020
Posts: 24
We discussed this item with our internal security review team and we need to know the explanation for having the the entry C:\Development\OpenSource\zlib-1.2.8\contrib\vstudio\vc11\x86\ZlibDllRelease\zlibwapi.pdb in eowp.exe. As stated in this post, this may not be the direct reference from eo assemblies and may be part of Chromium.
Requesting you to confirm the entry in eowp.exe is not part of essential objects executable and it corresponds to Chromium .

To recreate the issue,
1. Unzip the "eowp.exe" using 7zip app
2. Open .data file in notepad
3. Search for zlib.

eo_support
Posted: Friday, February 5, 2021 12:05:29 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,966
Hi,

eowp.exe is not part of Chromium, it is a part of our product. We use eowp.exe to start child process. However you do not have to use or distribute eowp.exe. When eowp.exe is not used, our library uses Window's system file rundll32.exe to start child process.

As we have already explained in our previous reply, there are two places zlib based code are used: one is when we load browser engine code (chromium) and the other is in the chromium engine itself. The version Chromium uses is based on zlib 1.2.11. The version we use is based on zlib 1.2.8, which is slightly older. This is the one in eowp.exe. However we do not directly link to zlib, instead we use code modified based on their code. The pdb file you see is the internal debug information embedded inside the executable file to aid debug in dev environment. It does not mean we are linked to an external zlib DLL directly. We did update the zlib codebase since early version is based on an older version.

Thanks!
bnymellon
Posted: Monday, February 15, 2021 5:13:48 AM
Rank: Member
Groups: Member

Joined: 3/10/2020
Posts: 24
We discussed using zlib libraries with our security team again and they updated us that they are vulnerabilities in zlib 1.2.8 as listed in the link below. To mitigate these vulnerabilities they requested us to either upgrade the version to 1.2.11 or provide us the evidence (can be the modified code snippet that you mentioned before) that eowp.exe and the zlib libraries (used within eowp) is NOT directly linked.

https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/version_id-214474/GNU-Zlib-1.2.8.html
eo_support
Posted: Tuesday, February 16, 2021 10:10:37 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,966
Hi,

We have already told you multiple times about why we believe our product is safe because:

1. We DO NOT expose any zlib routines to any external code. The only place this is used is to unzip the compressed code inside our DLL and none of these data or routine is exposed anywhere;
2. Nor that the zlib DLL is directly linked to our code as the unzip code are embeded inside eowp.exe, as evident that you do not see a zlib.dll anywhere;

We believe the fact that your security team concludes that the code is not secure merely because we have debug information embedded inside our executable is not only highly invasive but also extremely questionable.

As always, we will be constantly move along to update to newer versions (most likely we will update to 1.2.11 in our next major update in the summer). But in the mean time I am afraid there isn't much else we can tell you.

Thanks!
eo_support
Posted: Wednesday, February 17, 2021 2:01:46 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,966
Hi,

This is just to let you know that we have posted build 21.0.32 that updated eowp.exe to be based on zlib 1.2.11.

Thanks!


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.