I thought this needed it's own post rather than using another post that's already been opened aboput sygate. I sent an email about the loopback problem to Sygate support and ask if they was going to fix the problem. Here's the response they gave me. Take it for what it's worth. ;)

Dear Customer,

This issue has been filled and is currently being reviewed. They are
addressing this issue but there is not a definite date for a release
that this issue will be fixed. However I can assure that it is being
reviewed and not ignored. Thank you.


Edit: took off the must read. :)

What's so interesting that makes this a "must read" ? Anyone could have predicted this response, no offence intended.

Sorry let me put it another way. Must read if you care about this problem. You said "Anyone could have predicted this response" but as I seen it this question has been askked all over and no one I mean no one predicted anything. This question was asked at the Sygate forum and there was no predicted answer. If anyone could of predicted this answer than why didn't some just predict it and save me a lot of time emailing sygate and asking them . Maybe I should of called Miss Cleo. ;) LOL Not offended just stating something.

But this is a serious security problem, the response should be "YES THE PROBLEM WILL BE FIXED IN THE NEXT RELEASE" not "well the problem is noted but not sure which year the fix will be", no more I for one have had enough - fix it now or if they WONT then Ill use another company.

Thanks

I was hoping they wopuld of fixed it when they put out the last release but nope.

-{ Quote: " quoting: notageek link=board=23;threadid=15647;start=0#msg97356 date=1067571490]This issue has been filled and is currently being reviewed. They are
addressing this issue but there is not a definite date for a release
that this issue will be fixed. However I can assure that it is being
reviewed and not ignored. Thank you." }-
I'm afraid this response was not only predictable, but also a load of baloney. I received a e-mail from Sygate about a year ago now in response to the same question, when SPF Pro was at version 5.0. Then, they said that to fix the local proxy issue woud require a redesign of SPF and it would "therefore have to wait until version 5.1".

Well, 5.1 came and went. Now the same with 5.5. Draw your own conclusions. I stopped using SPF ages ago.

I think maybe it was an automatic email they sent me. cuz friend of mine emailed and got the same response.

How long have they known about this problem?

It's shame they don't fix it because it's the only problem I know of in an otherwise good firewall. (Apart from a few small GUI glitches in 5.5)

Well I sent an amail about it about 6 months ago but I don't know how long they knew about it.

-{ Quote: " quoting: notageek link=board=23;threadid=15647;start=0#msg97418 date=1067607699]
Sorry let me put it another way. Must read if you care about this problem.

" }-

LOL, an automated email that vaguely says we'll sit on it until we are ready, yes, a "must-read" as your subject says .. yes Totally unpredictable, what a shock..

-{ Quote: " quoting: notageek link=board=23;threadid=15647;start=0#msg97445 date=1067616867]
I think maybe it was an automatic email they sent me. cuz friend of mine emailed and got the same response.
" }-

-{ Quote: "
If anyone could of predicted this answer than why didn't some just predict it and save me a lot of time emailing sygate and asking them ." }-

Yes given that you already knew about the earlier email, you clearly could have saved yourself a lot of time. Not that it was a lot of time wasted.

I'm just objecting to the "must read" part. This thread is totally without information value what-so ever (unless you don't know abt the problem maybe).

Edit: fixed quote tags. CrazyM

Well, here's what I beleave. Sygate is pretty close to a final release. I think there will be one more beta and it will deal with the loopback issue. They must beleave that the loopback would never be exploited and it looks like to me they were right. I never seen a post in any forum I've been in where a sygate user was exploited by the loopback issue. So if someone could direct me to some posts in any forum about a sygate user being exploited by this so called "Fatal Flaw" I would greatlly appreate it ::)
Best Regards
Tim

Come to think of it, this exploit is only theory and seeing as the vast majority of people who use SPF and Proxy's know what they are doing anyway.

Thanks

-{ Quote: " quoting: manythanks link=board=23;threadid=15647;start=0#msg97704 date=1067684165]
Come to think of it, this exploit is only theory and seeing as the vast majority of people who use SPF and Proxy's know what they are doing anyway.

Thanks
" }-

Theory? Given the fact that lots of people are *SO* concerned (overly IMVHO) about leaktests , this exploit will shake their world. If you don't care about outwards filtering, it's no big deal of course.

I have to agree with JayK on this one.

I would like to add that a comment to what Tag said. Tag said "They must beleave that the loopback would never be exploited and it looks like to me they were right" You know that there are porgrams that can be downloaded and sometimes go out on the net and call home. If saygate gon't pick that up while someone is using a proxy than that program is calling home and exploiting the loopback hole in sygate. I for one never seen this happen on my computer but I'm sure it could and might of been done. No one is going to know if one of their programs that's running in the background is calling home if it goes through the lookback hole a proxy and sygate creates. Just a little thing to think about. :)

-{ Quote: " quoting: notageek link=board=23;threadid=15647;start=0#msg97813 date=1067711132]
I have to agree with JayK on this one.

I would like to add that a comment to what Tag said. Tag said "They must beleave that the loopback would never be exploited and it looks like to me they were right" You know that there are porgrams that can be downloaded and sometimes go out on the net and call home. If saygate gon't pick that up while someone is using a proxy than that program is calling home and exploiting the loopback hole in sygate. I for one never seen this happen on my computer but I'm sure it could and might of been done. No one is going to know if one of their programs that's running in the background is calling home if it goes through the lookback hole a proxy and sygate creates. Just a little thing to think about. :)
" }-

I took this response from a moderator at Sygate,whom by the way I have a lot of respect for.

"Without a scientific analysis, I'd guess that the majority of trojans and worms that attempt outbound connections do so directly - that is, they wouldn't bother checking for a local proxy.
- Trojans that do hook into a legit app that is configured for proxy use (eg IE) will get caught by SPF's DLL Authentication feature
- Trojans that directly inject (so as to avoid the need for loading a DLL) a "trusted" app such as IE, will generally do so in a manner that causes IE to attempt a direct connection (ie not use the proxy), at which point SPF will alert you that IE is attempting to access the internet. (Which, if you are setup to use a local proxy, should ring large alarm bells.)"

Cam

What do you think of that Theory? Please respond to his answer only.
Agree? Disagree?
Regards
Tim

Maybe this whole issue has been over hyped without any real solid proof that the firewall could be breached in this manner, maybe when Mr Gibson started to develope the Leak Teaster he - Ste Gibson opened a whole can of worms without investigating the whole picture/truth, maybe Sygate know this and this is the reason for the lack of action regurding the loop-back issue, but as a extra precaution they built Anti Application Hijacing into the firewall. The other question I will ask is the anti application hyjacking more secure than the loop-back issue being fixed.

Thanks

I agree with that totally but I'm sure there is people that can make trojans that can exploit the lookback problem. The only problem with the DLL Authentication feature is that it flags lot of other programs as possible dll injections.

Just to put this out there so someone don't think I'm slamming Sygate. I think Sygate is a good firewall. I would and do tell people that don't use proxies to use it over ZA (most of the time). I just find that this loopback can be exploited and feel it' s a threat but as Isaid before you can use syagate and SSM together to make a lesser chance of anyone porgram exploiting the loopback problem. A lot of people (mainly people running 98 with low mem) don't want lot of programs running in the back ground. I for one have XP and have lot of mem and don't want lot of stuff taking over my system tray. But I do usE SSM and a firewall.

I agree Sygate Personal Firewall is exellent for the job it is intended to do, but if SPF flags programs as possible DLL exploits it only adds to the security.

Thanks

Hmn....well one of the deals about securing a system (and allowing user control of what goes out) includes redundancy. And closing the known potential loopback "leak" would seem to be a good idea. For those who want program control, not just against potential Trojans.

Not knocking Sygate since there are many "advanced" users who use it, like it, but still would like this issue addressed. (Even if they don't consider it deal breaker kind of problem.) And this issue has been around for years. ZA +/Pro provide both program component control and don't have the loopback issue. ZA (free) doesn't have the loopback issue either. I don't know what's involved in "fixing" the issue for Sygate, but the issue's been on the table for some time and (if my recollection is correct) Sygate's been saying it would address it for a long time and still hasn't. It seems something fairly basic that should be addressed for those who prefer to control such things.

Anyway, I appreciate the thread simply because I've only been on the periphery and not closely following Sygate development and appreciate seeing Sygate's recent response, although it's not radically different from what they've said before. When a new version comes out, someone always asks about this.

I use a local proxy and I know how many legit programs I have use IE to connect to the net. I want the firewall to tell me when they're trying to do that through the local proxy and let me decide if I want them to or not. That's just my preference.

I like that statement, Iwas about to go soft on Sygate and say "it's not that bad" but OH yes it is , this needs to be fixed if you use a proxy with Sygate, but I ask the question again, are Sygate trying to address the issue of the loop-back problem by inserting Anti Application Hijacking.

Thanks

-{ Quote: " quoting: manythanks link=board=23;threadid=15647;start=15#msg97890 date=1067728060]
are Sygate trying to address the issue of the loop-back problem by inserting Anti Application Hijacking.

Thanks
" }-
not sure if i understand your question but NO, Anti Application Hijacking will not do anything to stop applications from getting out using the local proxy.

I don’t use Sygate, and I don’t visit the official forum and I haven’t read any topics about Sygate Loopback issues until this topic, so forgive me for my ignorance. Correct me if I’m wrong but how this Loopback issue works is when running proxy server using IE Environments a lot of regular Software such as Updater Systems doesn’t get seen as making connection to the outside, instead the proxy server application acting as middle-man is what gets seen by Sygate making the connections attempts to the outside?

Hi Phant0m``

Yes, anything configured to access the Internet via a proxy program through localhost (such as IE through Proxomitron), would not be seen by Sygate. In the IE example, you would have to have allow rules for Proxo, but not for IE.

So anyone who is concerned about application control and uses a proxy program with Sygate, should be aware that localhost traffic is not filtered.

Regards,

CrazyM

Hey CrazyM

That’s what I thought, thanks!

I obviously see a problem then, correct me if I’m wrong but anyone using something like Proxomitron most likely has it authorized in the their Firewalls Application Filtering List for initiating Connections to remote machines with destination port 80tcp to any IP Destination. And so using SpywareGuard LiveUpdate for an example which relies on IE Environments could easily be commandeered to access outside resources without being stopped by users Sygate Firewall.

"not sure if i understand your question but NO, Anti Application Hijacking will not do anything to stop applications from getting out using the local proxy".

If a program like Proxomitron is given access to the internet using SPF and a bad program tries to access the internet it get access through the loop-back exploit, if using ZA the program is stopped and the user is asked for access permission but not with Sygate, if Sygate has anti application hijacking it will notify the user of any changes to programs.

Thanks

The loopback problem is a serious one in my opinion ,because as other posters have noticed many apps can get through using the proxy.AVGs aginet.exe updater is another example and many others .I also believe that the reason its not been rectified in sygates firewall , is that it would take a a major overhaul of the firewall engine to correct it.My reasons for believing this is that if it were not so , they would have corrected it by now.To state that theres no risk or proven risk , and thats why they havent implemented it is a rather weak (and probably detrimental to sygates credibility)argument for not "fixing" it in my opinion.
me

-{ Quote: " quoting: ellison64 link=board=23;threadid=15647;start=15#msg98523 date=1067895306]
I also believe that the reason its not been rectified in sygates firewall , is that it would take a a major overhaul of the firewall engine to correct it." }-
you are correct. they have already said this.
-{ Quote: " quoting: ellison64 link=board=23;threadid=15647;start=15#msg98523 date=1067895306]
To state that theres no risk or proven risk , and thats why they havent implemented it is a rather weak (and probably detrimental to sygates credibility)argument for not "fixing" it in my opinion." }-
nobody from Sygate has ever said this.

I posted this before I will post this again. If you want to use Sygate and have a proxy running make sure you use SSM (system safety monitor)

Thanks space cowboy for correcting me, on sygates stance.I have browsed sygate forums on the loopback issue as i actually purchased a liscence for sygate a few months ago.I assumed that the loopback would work.My comments were based on general assumptions and replies made at the forum.Apologies.
me

-{ Quote: " quoting: manythanks link=board=23;threadid=15647;start=15#msg97842 date=1067718985]
Maybe this whole issue has been over hyped without any real solid proof that the firewall could be breached in this manner, maybe when Mr Gibson started to develope the Leak Teaster he - Ste Gibson opened a whole can of worms without investigating the whole picture/truth,

Thanks
" }-

This is a first, someone doubting Gibson's word. :)

I dont doubt his word, but dont you think it's a bit strange that Ste Gibson claims this is a very serious problem (application hijacking) and everyone else says it is a problem but the chances are very very rare, after all it;s not the firewall that catches Worms or trojans.

Thanks

LeakTest only tested the outbound blocking capabilities of a firewall. And as we know, while a software firewall is not an AT, if it has some form of outbound application approval and monitoring, an unapproved application seeking to connect to the net should be flagged by the firewall and be required to get user permission to connect to the net, as in ZA for example. (I'm not talking about some super trojan that is designed to bypass firewalls, just an ordinary common trojan or even something as banal as an AV updater or one of the many MS things that want to chatter on the net.) This is also how some people discover they have a trojan: when their firewall sees an unapproved program trying to connect to the net and calls their attention to it.

LeakTest wasn't dealing with application "highjacking" per se, although if one renamed it one could tell if the firewall could tell the difference between an approved application and another app using the same file name to try and avoid detection. LT basically tested if a firewall had outbound monitoring and app control.

The proxy loopback issue isn't so much a matter of application hijacking, but is a loophole in the firewall's outbound app permission monitoring and control. Normally, most firewalls would require an app to get approval to connect to the net on its own. As with AV updaters even if they use IE to connect to the net. The updater must be an approved app, regardless if it connects directly or uses IE to connect. When this loopback permission issue is present and a local proxy is used, some apps (presumably including malware) could use the proxy's connection to get out without the firewall noticing it and thus never flagging it for user approval. Thus a program updater, MS components or another thingy (spyware, malware, other programs) could connect out through the proxy without your knowledge since the loopback issue is present.

So it's a matter of app control. One needn't have some clever trojan defeating the firewall in some intricate fashion when the proxy loopback issue is present. It could just go through the firewall without a peep as could other (legit) programs as well. It's a matter of which allows the user to better control what is allowed outbound connections when using a local proxy, a firewall that makes each app initially ask for permission or a firewall that has the loopback loophole and thus makes it much easier for programs to bypass the approval process and the user? That's the issue for many of us who use a local proxy.

Well put sig. :) have a cookie.

I would Like to add a note on this loopback issue with sygate. I would assume that if you downloaded a program that was calling home and going through you local proxy it would get out undetected and you wouldn't even know it was calling home. :)

OK point taken, I think I keep making excuses up for Sygate and I know I should'nt but thanks anyway, back to ZA.

Thanks

Found this in the Sygate Forum.

"When will SPF support the ability to control application access to "local proxy"
Products:
Sygate® Personal Firewall
Sygate® Personal Firewall Pro


Operating systems:
All supported Operating Systems

Details:


With the current SPF 5.x architecture, support for the loopback adapter or "local proxy" does require major changes to one of the core product engines. This is considered a high risk fix with both high development costs and resource requirements. However, be assured that we are making progress towards addressing the local proxy issue. Sygate apologizes for the delay but has chosen the path towards fully addressing the issue, rather than issuing a patch or partial fix"

We will just have to see what happens in the long run. Thanks Tag.

-{ Quote: " quoting: Phant0m`` link=board=23;threadid=15647;start=15#msg97995 date=1067762518]
I don’t use Sygate, and I don’t visit the official forum and I haven’t read any topics about Sygate Loopback issues until this topic, so forgive me for my ignorance. Correct me if I’m wrong but how this Loopback issue works is when running proxy server using IE Environments a lot of regular Software such as Updater Systems doesn’t get seen as making connection to the outside, instead the proxy server application acting as middle-man is what gets seen by Sygate making the connections attempts to the outside?
" }-

Just one more question about the loopback issue:

If you use a proxy for let's say email download and have SPF ask for all programs on inet access you will get a warning that the proxy tries to connect, correct? That is the loopback issue is a security problem only when you are running a proxy which is allowed per se or used for all internet access...?


Thanks,

Karl

-{ Quote: " quoting: Karl_Menshy link=board=23;threadid=15647;start=30#msg102852 date=1069345912]Just one more question about the loopback issue:

If you use a proxy for let's say email download and have SPF ask for all programs on inet access you will get a warning that the proxy tries to connect, correct? That is the loopback issue is a security problem only when you are running a proxy which is allowed per se or used for all internet access...?" }-

Correct. Sygate will see and prompt for the proxy accessing the Internet. It will not see or prompt for anything configured for access via the proxy on localhost.

Regards,

CrazyM

Thank you, CrazyM.