ZoneAlarm Pro Serious Security Vulnerabilities!?

Interesting read here
Did i waste my (hardearned) money when i bought it (several licenses)?
Any comments?

 

Hi, All: I have read a while ago when the author posted his findings on this forum(but has been removed since). Up to this day, we are still awaiting ZA's official response. What If somesone would purchase the CODE(they are offered for sale on his web site) and commencing hacking? I rather not to image.

 

This confirm my post https://www.wilderssecurity.com/showthread.php?t=132049

 

Hello, we are also awaiting ZA's response.

Anyway, we will not sell our work to malware creators. Our analysis is intended for vendors and pen-testers. We will not sell our products anonymously - this should discourage those that want to create and spread malware with it.
We will also publish bugs for free regularly (probably since 01/07).

 

Hi, this is exactly the kind of attitude and approach i am expecting from you. I do admire your excellent work, you are a new kid on the block, carry on your goodwork, surely the viewers will support you all.

 

So who can buy this code except ZoneLabs and hackers? I am confused.
Also I am still confused what is the aim behind all this?

 

Last I recall this was posted, the Moderator deleted the entire thread.

The security tester should submit his list of 'vulnerbilities' to Secunia to see if it holds any value.

 

That link was removed recently by one of the leaders of Wilders, don't remember who.

 

After having read the allegations made by matousec regarding Zone Alarm, I am not convinced that the conclusions are sound. The page seems littered with errors. From the "Tested version" section where the differences between Zone Alarm Pro and Internet Security are erronously described to the "Security" section where the author makes unfounded allegations about Zone Labs' programmers and their ability to program under Windows NT.

I hesitate to make the same mistake as the author of the referenced "tests," but I am willing to bet that the author's obvious financial motivations have tainted the author's ability to objectively evaluate the software. Furthermore, my conclusion is that these findings are without merrit. My guess is that Zone Labs will not respond to these findings because a response would only give credibility to these findings and I'm not convinced that the findings are deserving.

 

A similar thread has been posted on the ZL forum (which is now locked) and the forum moderator has replied to it. His words can be almost taken as the offical stance of ZL on this issue:
http://forum.zonelabs.org/zonelabs/board/message?board.id=security&message.id=15510

Like what the forum moderator said, any respected security researcher would disclose vulnerbilities to the software company concerned and notable websites like Secunia for no fee. Asking for money just causes people to question your motives and legitimacy of your "results" and is more likely to be a scam.

I am just surprised that the Wilders Security Moderator haven't deleted this thread like the previous one that was posted here.

 

People tend to trust those who have no financial incentive when testing products.

 

I don't mind that the link isn't removed this time. Both, good and bad things need to be said.
I don't know if it is true or not, only firewall experts can be the judge of that.
Why selling all these bugs anyway? Good grief, $260 for one bug, that's blackmailing.
Must be a new way of making money on the internet. LOL
Meanwhile I keep on using ZoneAlarm (free or pro), because ZoneAlarm is much cheaper than its so called 'bugs'.

 

Hi,all: after reading the locked link to ZL, I just could not believe what I have seen. ZL is a leading player in cyber security, everyone including myself is looking up them for leadership and guidance. In the wake of wild discovery of potential and perhaps critcal flaws in their flagship app by a NEW kid in the block, they are panic and act like a chichen w/o head. First, they discredit the author then choose not to act and react by hiding their head(only if they luckily find one) in the sand. Some folks may be old enough to recall the auto giant(not any more) FORD/pinto sega, same pattern of reaction has been followed. At the end, FORD paid for their mistakes very dearly. The author may have some ethical problem by offering his findings for $$. By the same token, ZL sell their work to for $$$ as well. Who is ethical and who is not is question of your judgement. My main concern now is that what IF(hoping it is a big IF) his findings have somewhat merits, and ZL still sit in an ivory tower looking out refusing to do ANYTHING, are our wellbeings in this cyberworld been protected. We have paid ZL $$$ for protection and the PROTECTOR is trying sidesweeping their problems under the carpets. A kind word for CTO at ZL, this is the time for you and your interllectuals to show us that you do CARE!

 

If you visit that "security" website now, you would see that they have done a test on Kerio and also found a long list of "bugs" for Kerio and advise people not to use Kerio and switch firewalls. I wonder what is Sunbelt Software's official take on the matter. I would not be surprised if its the same:
http://www.matousec.com/projects/windows-personal-firewall-analysis/Kerio-Personal-Firewall-4.3.246/

If they want to charge thats up to them but at least file the bugs say to Secunia to have the bugs verified. Charging for the "tests" and not having someone external verify your work just raises your questions. From the forum moderator's answer, ZL is aware of the tests but they are also aware that it may be a scam and are not willing to for out big cash especially for work that is not verified or even picked up by a editorial board. I just think that this just calls for the use of common sense (which is not common these days) and not jumping onto everything that is claimed to be a bug.

P.S. ZL doesn't sell all their firewalls. ZA (free) is still available for free. Those who buy did so voluntarily because they'd like a feature that is not present on ZA (free) or they don't mind paying for a high-quality firewall.

 

The dilemma arises though, when supposedly agnitum has apparently asked matousec to test thier new version 4 firewall,therefore giving them some credance in thier ability to fault find etc.I dont know whther they are genuine or not ,however thier wording regarding kerio and ZA seems provocative to say the least.
ellison

 

Perman,
Your reasoning is seriously flawed. Based upon your logic, Zone Labs should pay me simply because I claim to have bugs for sale. If that was how things worked, then I would be rich. Furthermore, Zone Labs selling their security software that is designed to protect is not the same as selling ways to exploit Zone Labs software. Based on that logic, Microsoft is the same as cyber criminals that sell bot networks.

As an industry leader, Zone Labs is doing just as it should, contrary to your conclusion. You think that Zone Labs should heed to every extortion attempt from every "NEW Kid" on the block. I disagree. The individual(s) behind this so called "finding" may very well be kids simply trying to earn a fast buck. I would be willing to bet that smart business men or women are not behind this. I think this inference can be drawn from the manner in which they are operating.

Ellison64,
Your intuition seems correct. Their wording is provocative, indeed. I would go further and label it suspicious. Their modus operandi only adds to that suspicion.

 

Anyone that visits the site and reads the blog will see that Agnitum only asked that the testing be carried out on the forth coming version 4 rather than the current 3.51. That is not the same as asking for a test. From the blog.

Better stated and more correct:

 

Whichever way you interpret it though ,agnitum (according to the blog) seems to be a willing participant in matousecs testing methods ,otherwise they wouldnt have even acknowledged them imo.
ellison

 

Hi,Dallen: Just came across your comments. I like to take few minutes just to let you know my reasonings behind my earlier views, NO intention to escalate ANY furthur debates. You have a good academic credentials around your waist, I do respect you. As you know any leader in any field, in order to continue growth, they must keep their minds OPEN, I mean open to any suggestions from right to wrong, and never SHUT their ears or TUNE thier receiver on selective frequency. This NEW kid on the block, could be just as young as your grandson with lots ideas, his behavior to solicit $$ for his work may leave bad taste in somepeople's mouth, but it does not constitute any intention for extortion(as you label it); not just targeting ZA. The refusal from ZL to deal with these alleged flaws and LOCK the link to this matter on their forum just illustrate something fishy on their part. Again, a very kind for CTO at ZL, this is the black cloud on the horizon, be wise to deal with it before it becomes a catagory 5 hurricane. This kid has mentioned(not a threat)that he will publish his findings in public in Jan, 2007. Be there folks, and be a judge. BTW, ZL has upgrade ZA pro to V 6.5 700, is it still vulnerable to these findings(or should be called threats).

 

What i find a bit disreputable is that matousec said that they were waiting for ZAs response and yet still slagged thier product off publicly at thier website..Now if there were serious bugs in ZA and matousec are a proffesional company or whatever that charges for thier services,then surely they would have approched ZA and sunbelt ,covertly ...explained thier findings etc etc and maybe ZA or kerio might have been more favourable in thier approach to matousec..Perhaps they did this but i see no evidence at the site regarding this.To most observers it looks like matousec have found faults (allegedly) ,then published the fact publicly on thier website and discredited ZA and kerio ,with an offer to disclose the "bugs" for money.The fact at present though is that millions of people use both these products withot much complaint or problems with thier security.
ellison

 

Hi, folks: furthur to my previous posting, I have received a private message from matousec indicating that there are two errors needed to be addressed. First is the date for public release, it is july 1,2006 rather than jan.1,2007. Secondly, the scope of releasing info is limited to a few but regular, rather than all bugs. And the products subjected to testing are not limited to ZA products.

 

On July 1, 2006, it sounds like we will find out for sure if matousec's claims are legit. We've already learned that matousec's business practices are ethically irresponsible. My decision, if I were running Zone Labs, would be to give this matousec the attention he deserves. None.

Do you think Zone Labs became the industry leader by developing an easily exploitable firewall? This is not to say that Zone Alarm is impenetrable, but it is certainly among the best on the market.

Negotiating with matousec and paying for the "exploits," and I use the term loosely, would be a lot like negotiating with terrorists. The instant you go down that path there is no return and you give everyone a financial incentive to become a terrorist. Some may say my analogy is extreme because matousec is not a terrorist. I agree, he most certainly is not. However, it seems matousec is attemping to take Zone Labs "hostage." First he says, I have keys to your palace and if you want them back you must pay. Sounds like extortion to me.

 

Dallen.

It's difficult to say. My perception at least is that on the home user market, it's reputation as the leading firewall was helped by good marketing strategy rather than pure technical expertise, not to mention excellent PR help from Mr Steve Gibson.

I'm not going to weigh in on whether it is right to pay money for vulnerabilities, but you might not be aware that such a practise is certainly being done on a fairly large scale by big security companies who offer bounties on serious vulnerabilities, and such information is then used to protect clients which include big fortune 500 companies and government entities.

Compared to the sums of money paid by such companies, what matousec is asking for is peanuts really. Of course, I seriously doubt if what matousec found is comparable , but what is sauce for the goose..........

I personally would support the efforts of Matousec , they look creditable enough to me on first sight with a fairly comprehensive testing methodology. Certainly they exhibit knowledge that surpass the typical run of the mill poster here, even some credited with the "expert" tag (no offense to the experts with that tag).

 

Mr. Gibson is quite knowledgable and his endorsement usually is indicative of solid software. PR from the mouth of Mr. Gibson occurs after the development of a good firewall. I do not dispute your thoughts regarding the power of marketing.

By "bounties on serious vulnerabilities," I think you are referring to companies that offer rewards for individuals that are able to discover vulnerabilitites in their own software. If that is what you mean, that is a completely different animal and it is far more ethically sound.

From an ethical perspective, my view is that the amount being "demanded" is irrelevant.

You are of course entitled to your opinion just as I am. We will have to agree to disagree on this point. Your point is well received.