If you pay any attention to news about software or PC security, you've no doubt heard of a severe flaw discovered recently in the popular ZoneAlarm personal firewall. You may have heard that Zone Labs initially refused to fix this flaw in the free version of their software, saying that users would need to upgrade to the expensive Pro version to fix this issue. You may also have heard that Zone Labs has back pedaled and decided to address the issue after all.

Here is something that you may not have heard. Most of that is not true. Zone Labs is not telling people to upgrade to the pro version to fix this flaw. In fact, there is no flaw to be fixed.

This all started when someone posted a hypothetical password theft exploit to Bugtraq. In his hypothetical exploit, the person speaks of a rogue application running and stealing the user's passwords or credit card information.

Read rest of article: http://www.spywareinfoforum.com/articles/zonelabs/exploit_hoax.php

After whining by quite a few people, they are going to prevent the issue in the free version.

The issue is not ZA, its a windows exploit, in which a certain trojan would have to be installed at the same time. So the user lets a trojan on their system, and then it uses windows exploits. In no way is this a ZA bug, but so many clueless newbies complained, along with bad PR, they are going to add this feature to the free version.

Do you expect a packet filtering firewall to prevent a trojan the user let be installed by some means to run amok on the system with your windows files? NO, this is why I think the issue is so stupid.

im a free junky lol newbies bend them to are will mawhaaaaaaaaaaaaaa
doe i cant use winky eye need to allow active scripting lol

The issue of is it a firewall problem or is it a Windows problem came up with the first leak tests published. I have always felt it was basically a design flaw in Windows that allows most leaks to work the way they do. In seeing what M$ has come up with, in Longhorn, to make their OS safer, I'm beginning to wish MS would let the 3rd party vendors take care of such issues.

I still believe there are even more "leak tests" to be revealed yet, and it is my understanding that for a firewall type application to properly protect against such exploits, it is going to be necessary to use a sandbox type approach. If firewall vendors keep applying patch after patch to plug leak after leak, soon all the firewalls are going to be the same patched mess M$'s OSs are.

What is going on is the equivalent to Electronic Countermeasures warfare. The good guys come up with a new technique, and the bad guys come up with something to counter it. Then the good guys counter that, and it goes on and on.

SSM has demonstrated the fact that a sandbox approach to dealing with most of the leak tests did not take re-inventing the electron. Although it is not perfect, I think with a few more refinements, it will demonstrate that a sandbox can be run on a home computer with minimum hassle and maximum security. I personally think that the firewall vendors should take a serious look at sandboxing if they want to be competitive in the future.

Getting on the computer and surfing the net should be a fun experience, or a safe learning experience for those that use it for education. I wonder when people are going to get tired of playing this game of I can break down your security, ha ha. Frankly, I'm getting bored with the whole mess and I doubt very much if someone is going to take the time and the effort involved to try to compromise my computer, and if they do, what have they gained? If you don't keep sensitive information on your computer, then no one is going to get it by any exploit.

The best firewall has been and always will be the brain. Use it and the results should be favorable. :D

I agree, root. Powerful application controls or sandboxing is needed to prevent the exploiting of these Windows functions and features (aka. exploits). Most of the big name software firewalls have some amount of application control already integrated in them, but, as new exploit ideas occur to people, more powerful controls are needed to counter them.

In fact, when you think about the ShellExecute() function and what it can do, Zone Alarm has to actually increase the capabilities even within the ZAplus and ZAPro products to make them 100% effective...

Currently, the Advanced Program Control feature in the two pay Zone Alarm products can recognize and prevent (if the user answers 'No' to the alert) the calling of the default browser (or any program, really) from another program, as long as this call creates a new instance of the program and is not simply passed over to an already executing - and already approved for network access - copy of the program.

Catching the new instance works effectively because that is obviously how Zone Alarm's Program Control is implemented - it recognizes at the first attempt to access the network that the program was run as a child to another program. ZA alerts that the parent program is attempting to make the child program access the network on its behalf. This concept is easy to understand, I guess.

However, when a program is already running, and has been granted approval to access the network, Zone Alarm will obviously need to find a way to catch that another program is attempting to send it commands.

If you take a look at this thread at DSLR - Security Forum (http://www.dslreports.com/forum/remark,7209876~root=security,1~mode=flat) you see a simple test with the ShellExecute() function. Down a ways in that thread you'll see my sandbox activity log and the explanation of what's different in that log when IE is already running versus being started fresh. Basically, even Tiny Trojan Trap doesn't monitor on a granular enough level to actually catch the passing of the URL to an existing browser session. All it sees is a Create in-process COM object and control then passes over to the existing browser session at some low-level inside the OS that isn't being monitored.

It'll be very interesting to see how Zone Labs gets Zone Alarm to catch what's really going on and to prevent it until the user answers an alert. Since I'm not a Windows programmer, I have no idea how they'll trap this, but, if they do, then I'll be really happy because then my ZA+ and ZAP applications will be even more powerful then they are already.

Zone Alarm Free is obviously going to be given at least a portion of this Advanced Program Control capability, meaning whatever functions are needed to trap these calls. Or, perhaps the entire Program and Component Control functions will be put within ZAF, I don't know.

Of course, I have to wonder what is happening right now among some of the other software firewall vendors since many of them (though not all) are just as vulnerable as Zone Alarm. In fact, some of them don't even have code in place for trapping even the basic parent calling child to access the network... Should be interesting just how much advancement is going to occur in the software firewall world in these next weeks.

lol longhorn whats that blaze puts halo over his head lol

>> longhorn whats that?

Psst!! Blaze...

Is that the new windows operating system i see there?

must be the southern windows verstion.

hmmmm looks unsecure kinda heavy and bloated

it looks like its by itself means dosent get along with other programs

it must be made by microsoft lol

Longhorn (http://www.winsupersite.com/faq/longhorn.asp)