Malicious code could trick ZoneAlarm firewall

The vulnerbility can be prevented in the paid versions of ZA 5.5 by eneabling the "Advanced Program Control" feature in ZA:
Go to "Program Control" section of ZA> Select the "Main Tab"> Select the "Custom" button in the "Program Control" subsection> Tick the box beside "Advanced Program Control"> Click "OK"

Paid versions of ZA 6.0 will by default protect you due to the new OSFirewall feature.

Free versions of ZA aren't protected. However to my knowledge, other free versions by other manufacturers also don't protect you from this.

You can read the full details of this vulnerbility in this Zone Labs security Advisory:
http://download.zonelabs.com/bin/free/securityAlert/35.html

 

The good news as i have just discovered for this DDE-IPC (Direct Data - Exchange Interprocess Communications) flaw, is that ZA Free users can also be made safe from this potential exploit, and very easily too !

I imagine my advice would apply to other FW's too.

All you need to do is ensure that your browser is NOT set to allow access to the internet by default in ZA.

I have always thought it wise not to allow Any program automatic right of access as a precaution. Every time any App of mine requires access out for Anything, i have to physically click to allow, including AV updates etc.


StevieO

 

Brilliant advice. This precaution, of course, would also block many of the firewall leaktests that piggyback on the browser. I mentioned this in another thread and was criticized for having a firewall rule that prevented the test from showing that my firewall was vulnerable.

This precaution would also prevent a trojan downloader from auto-connecting out, which I've demonstrated in testing several real trojans.

A bit of a nuisance, some will say, but it just becomes a part of your routine, and after awhile, the few seconds of extra time is not noticeable.

-rich
________________
~~Be ALERT!!! ~~

 

Hi ronjor,

In the story, I notice the distinction is made about "network firewall" vs "OS firewall".

I have noticed your view on firewalls on several posts in the past with regard to the lumping of features onto a network firewall to provide protections that normally an OS firewall would perform.

Is it your take that you find those features misplaced in a network firewall? I would like to hear more discussion of this distinction and its relative pros and cons vs the direction various products have taken and whether that's a good thing or not.

-- Tom

 

Hi StevieO,

Ok, IE wants access, at this point, how are you going to be able to tell whether there is a piggy-back process or not with the free version?

Regards - Charles

 

Hi to you too zcv,

Somehow i get the feeling you are asking a rhetorical question ?

So if you had some Solutions/Answers you could have saved time and helped everybody out by posting them at the time !

Of course it's a good question, and it might be possible for something like that to occur. I would be very suspicious of IE wanting access through ZA without my initiating it in the first place though.


StevieO

 

Can you explain what this is and how it's different from Kerio 2?

For example, any application not given permission to connect out is blocked in Kerio 2.

thanks,

-rich

 

Same here, with the browser rule set normally to permit outbound access.

I'm wondering how many do, or would consider doing StevieO's suggestion in post #3, where you manually grant access for outbound connections?

What I've experimented with is to include my most frequented websites in the Custom Address list, such as Wilders. Then, I'm not nagged everytime I open a new post or thread, but would be alerted if an exploit like Ron mentioned attempted out to another address.

See attachment where the exploit was blocked when I unchecked the browser rule, prompting an alert.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

This bypasses Outpost 3 as well.

Thanks,

Chris

 

let me install it real fast.

Thanks,

Chris

 

Thanks for all of the screen shots. I'll look at the manual.

When Kerio 4 was first released, there were many bad reports about it. Sounds like this version has cleaned things up.

I notice you have NIPS checked and that it used a database of attack signatures. When KPF goes out of business, I wonder if anyone else will take over updating this data base. Kerio would probably have to release the source code rights.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

With ZAP 6 using default settings it tells you ZABypass.exe is trying to use iexplorer to access the internet using DDE.

Thanks,

Chris

 

(this thread is being hijacked by KPF4)

I just downloaded the manual. On p. 98, regarding script blocking:

------------------------------------
Block JavaScript, Block VBScript
Enable these options to filter all commands of the corresponding script run from
a website.
------------------------------------

Does this refers to browser scripts? If so it's great protection because Wormguard doesn't provide that type of script protection. See

https://www.wilderssecurity.com/showthread.php?t=91194

regards,

-rich
________________
~~Be ALERT!!! ~~

 

And SSM, ProcessGuard, Online Armor, et al.