Kerio 4.06 released - Less secure

Discussion in 'other firewalls' started by BlitzenZeus, Oct 27, 2003.

Thread Status:
Not open for further replies.
  1. BlitzenZeus

    BlitzenZeus Security Expert

    Feb 11, 2002
    Oregon, USA
    Kerio Personal Firewall 4.0.6 has been released.
    You can download it at or check for updates from KPF admin.

    MD5 hash of the package:
    FDD77C6F9E49962146FB0A4B23B2B513 kerio-pf-4.0.6-en-win.exe

    Changes since 4.0.4:
    - fixed registration on WIN 98, ME
    - fixed bug when Group name contains '&'

    + czech localization
    + password protection
    + remote administration
    + added ability to inspect gzipped http
    + logging and alerts can be turned on/off directly by clicking on rule line in network/system security
    + firewall can now be exited when popup window is shown

    Serious Security problem! When you give a program permission to launch other programs, those programs are now launched, and automatically allowed to start without user input. So if a trusted program launches a malicious program it will be started by default!!! Now any script ran from a trusted application will be able to run loose on a system! Thanks for making the system security module useless Kerio!

    1: You allow explorer.exe to launch other programs.
    2: A script tells explorer.exe to launch malicious.exe, and malicious.exe is set to be allowed to start by default.
    3: Malicious.exe is launched without user input.

    Password protection, and Remote admin apparently are part of the paid version, which is not even mentioned in the help file correctly with association with the free version.

    I've done minor testing so far, but the fact that they crippled the system security module makes this a horrible release. I didn't think it could get any worse... I was wrong...
  2. Eliot

    Eliot Registered Member

    Aug 8, 2003
    Arkansas, USA
    Rats!!!! I want to use the new version so badly because no other firewall feels right to me anymore. I sure hope they get that fixed before the 11/10/03 release date scheduled. o_O
  3. bellgamin

    bellgamin Very Frequent Poster

    Aug 1, 2002
    Since I regard you as one of the leading experts on Kerio [as well as one of its major supporters] what you have said is serious stuff, indeed. If they have good sense, they will heed the critique of a good friend like yourself.

    I shall watch closely for your future reports. Thanks for the information.
  4. controler

    controler Guest


    I am not understanding what you are saying about allowing one APP to launch another APP with Kerio. In mY screen shot it shows the chioce to allow or ask. Are you saying this feature really doesn't work? It seems to work for me with most APPS

    Attached Files:

Thread Status:
Not open for further replies.