Hi,

Our DLLs does not depends or use any unmanaged DLLs. We do automatically uncompress the browser engine code in memory, which might triggers the false alarm. So you can ignore this alert.

Thanks!

Hi,

Thanks for the additional information. We do have code that are based on open source zlib's source code, that's why you see some "signatures" of zlib in our code. However:

1. We do NOT directly reference a specific version of zlib;
2. The unzip code we use are for unziping embedded browser engine code only. No other input are used by that code;

We will review and update this portion of code in our next release, which should be available in January.

Thanks!

Hi,

We have already reviewed and updated this part in our current build. Please keep in mind that you can not simply search for some signatures to conclude that the version used is not secure. After our review, we have concluded two places where zlib based code are used and both have been updated.

1. When we dynamically unzip and load the browser engine code as previously mentioned;
2. Our product is based on Google's Chromium project, and Chromium also uses zlib:

https://source.chromium.org/chromium/chromium/src/+/master:third_party/zlib/

As a result, you will always find zlib signatures in the final binary. We expect to update this again in the future to stay up to date with newer versions.

Thanks!

Hi,

eowp.exe is not part of Chromium, it is a part of our product. We use eowp.exe to start child process. However you do not have to use or distribute eowp.exe. When eowp.exe is not used, our library uses Window's system file rundll32.exe to start child process.

As we have already explained in our previous reply, there are two places zlib based code are used: one is when we load browser engine code (chromium) and the other is in the chromium engine itself. The version Chromium uses is based on zlib 1.2.11. The version we use is based on zlib 1.2.8, which is slightly older. This is the one in eowp.exe. However we do not directly link to zlib, instead we use code modified based on their code. The pdb file you see is the internal debug information embedded inside the executable file to aid debug in dev environment. It does not mean we are linked to an external zlib DLL directly. We did update the zlib codebase since early version is based on an older version.

Thanks!

Hi,

We have already told you multiple times about why we believe our product is safe because:

1. We DO NOT expose any zlib routines to any external code. The only place this is used is to unzip the compressed code inside our DLL and none of these data or routine is exposed anywhere;
2. Nor that the zlib DLL is directly linked to our code as the unzip code are embeded inside eowp.exe, as evident that you do not see a zlib.dll anywhere;

We believe the fact that your security team concludes that the code is not secure merely because we have debug information embedded inside our executable is not only highly invasive but also extremely questionable.

As always, we will be constantly move along to update to newer versions (most likely we will update to 1.2.11 in our next major update in the summer). But in the mean time I am afraid there isn't much else we can tell you.

Thanks!