GRC thread - ZA users should check it out

https://grc.com/x/news.exe?cmd=article&group=grc.security&item=54640&utag=

*PeteNote: I have no idea if the guy is right or wrong, but it certainly bears checking inot. Pete

 

Pete,

Your link is part of a very long thread. This is the initial post.

DaZed" <skooldazed@hotmail.com> wrote in message news:3D4A6874.985BA3DD@hotmail.com...
> Fellow readers:
>
> While installing IE6, I noticed that the ZoneAlarm icon blinked-
> I have been using ZoneAlarm for over a year, and this was the
> first time I ever saw the icon blink.
>
> So of course, as soon as the IE6 instal was finished, I took a
> look at my ZoneAlarm settings, and I was horrified to see dozens
> of of new programs and modules listed, all of which were given
> carte blanche to access the internet, and ALL of the new programs
> were IE!
>
> Since I have only used Netscape, there is no way whatsoever that
> I could have directed ZoneAlarm to grant IE programs and modules
> permission to access the internet.
>
> Because IE6 refused to function, and nuked my system when I
> removed it, >I'm< not willing to re-install it just to verify what
> I already saw- the IE6 instal hacked my ZoneAlarm settings!!!!!
>
> Please bear in mind that I edited ALL IE4 files to zero-length
> immediately after installing Win98, so there is absolutely no
> possibility that ANY IE program or module could have have
> launched, and be detected by ZoneAlarm.
>
> The fact that the IE6 instal program nukes ZoneAlarm is a MAJOR
> security problem!!!!! The single most dangerous program on your
> computer (IE) can establish control over a program used to address
> the security hole of IE...
>
> I suggest that ZoneAlarm backup it's config files, and perform a
> CRC32 check to ensure that rogue programs like IE6 instal can't
> change ANY settings. Password protection for ANY AND ALL changes
> would be nice!
>
> My god- If those visual basic morons at microsoft can hack
> ZoneAlarm- Just imagine what a REAL programmer could do!!!
>
> DaZed

 

Pete,

First, I want to thank you for at least delving down to (just about) the only post in that overlong thread that has any real information in it.

Second, thank you for picking the HTML version. That's a bit easier to read than the NNTP version.

Third, let's start at step 5) (in the referenced URL): Install IE6.
Now, I've never installed any version of MSIE since about MSIE 3.2, IIRC without relying either on a Windows CD or a previously installed version of MSIE. My first question (and one not answered in his methodology) How did he download and install MSIE 6 without using MSIE 4? (I'm not saying it can't be done; I just want to know how he did it.)

Fourth, (back to the referenced URL) Steps 2,4, and 6 (as I read them) indicate that ZAP was running throughout this process. So, if he used MSIE 4 to download and install MSIE 6, well, then . . . . he must have either already PERMITted MSIE 4.x to access the Internet or he must have done a "This one time..." PERMIT

Fifth, he does not list iexplore.exe as one of the files changed as a consequence of downloading and installing MSIE 6. Consequently, I would presume that he either had (or created) a rule to allow iexplore.exe to access the Internet (i.e., not a "This one time..." scenario). Something important is missing here in his description. If he used MSIE 4.0 to accomplish the download and install, then he must have subsequently been asked to approve the update to MSIE 6 (which, given the latest version with DLL control, whatever it's called) would automatically also authorize the core DLLs. (Incidentally, there's a whole bunch of core DLLs associated with MSIE that he doesn't indicate as having been changed either; I can only assume that he had already authorized these with the MSIE 4 install.)

Sixth, it would be nice if we had some information on the build and MD5 hashes associated with those newly 'authorized' DLLs, but he hasn't provided that information. All of those look quite similar to what I see in MSIE 5.01 SP2 on the box I'm using at the moment.

I suppose I could keep on going, but it's probably better to stop at this point. Besides, I've got another question that I'd like to ask, but would prefer to do that in a separate posting.

 

I am not even going to read JV's post first..You want to upgrade to IE6 you turn off you bl--dy ZA and your AV..download it with what ever option type of IE6 you want..let it install..reboot..then turn you stuff back on.

DaZed is a klutz...and all the other theory stuff he wrote is garbage made up as he went along..it is soooo funny.

 

Oh, BS!! You did too read it!

Yes, John, sure looks like that. Ya wanna know somethin' else. Having dug through that thread, I think he is not alone.

 

Oh, BS!! You did too read it!

I beg your pardon ok I peeked at it.. oh well I read parts of it...maybe I researched it... ok I posted it in another forum and made sure everyone got a chance to read it ..but I did not call Bill G as he was playing his Xbox and told me to stop calling him on a sunday cause he was talking to you how they could pull off the EULA thingie without everyone trying to hack him again .......


NEVERTHELESS.. how many times have we heard.." do not run any third party poggies"...close down everything you can in CTRL+ALT+DEL if you want to download and install something as important as a new browser, which half those proggies have their meathooks into with share dll's.

You know an IE6 make over is going to be changing the shape of your nose and how you paint your toes..so give it all a breaks and let it do it's thing without a bunch of relatives hanging around...you do the same thing when you defrag (that is what I call it but I have heard it called something else) and you know he did not go after IE6 with Opera or Netscape.


I would not even have that stuff running for other important software installs..but other do.

I wonder how many turned it all off and went after the Win 2000 new SP..I guess they were checking it all with their AT and AV in real time , to make sure they did not get a badboy...risky business in my book..if you are going to download and install you at least have to start trusting Microsoft.

 

Okay, here's my second (set of) questions. For the most part, these are entirely distinct from the issues that I raised in my original posting.

First, nowhere (that I've found) does DaZed indicate exactly what build of ZAP he's using or how he's configured it. And, if he's using the latest, there are some important configuration issues that he should have identified.

Second, I see a reference (in the URL that you cite) that he 're-installed' Win 98. I note he says Win 98, not Win 98 SE. Did he run any OS or MSIE updates (prior to upgrading to MSIE 6)? God knows there must be somewhere between a half-dozen and a dozen upgrades to Win 98 (including some to MSIE 4, never mind MSIE 5 or 5.5 or 6). Why do I ask? Actually it's quite simple. To the best of my recollection, a fresh install of Win 98 makes MSIE the default browser and it does so without requesting any operator intervention. So, . . . golly gee, boys 'n girls, . . . if ZAP automatically PERMITs the default browser (as stated in the GRC thread), . . . guess what happens!

Third, (and this is what I really wanted to ask because I have absolutely no idea what the answer is -- not being a ZA/ZA+/ZAP user). Let's take a specific look at one of the DLLs that DaZeD has identified explicitly as having been modified as a consequence of installing MSIE 6. Specifically, let's look at (from the referenced URL)
[pre]Shlwapi.dll   Shell Light-Weight Utility Library    ?
Internet access CHANGED WITHOUT PERMISSION to:
Shlwapi.dll   Shell Light-Weight Utility Library    Y[/pre]

Okay, here's my question (in a very roundabout way because I need to lay some groundwork). Exactly what does this entry mean in the version of ZA/ZA+/ZAP that he is using? Is this simply an entry 'authenticating' Shlwapi.dll for use with MSIE (or possibly Copernic, to name only one other possibility)? Or do the implications of this entry go much deeper? Specifically, does this mean that Shlwapi.dll can now be run independently of MSIE? Specifically, does it mean that Shlwapi.dll can be run simply using rundll? (This particular DLL is of less interest to me than others than DaZeD does not list at all, but it does happen to be one that he does list.)

You see, MSIE (at least through MSIE 5.x) is really nothing more than a 'stub' program that calls the operative DLLs. If anything is now permitted to call the DLL(s) and get through the firewall (based on these PERMITs), then "Houston, we have a problem". Another stub program would not necessarily have any Internet-enabled functionality embedded in it, but if it could call one (or more) of the operative DLLs without further authorization, then (for all practical purposes) there ain't no firewall anymore, boys 'n girls. Again, I have no clear conception as to what's happening with the latest versions of ZA/ZA+/ZAP, so I can do nothing more than raise the issue.

 

Joseph - I appreciate the work and thought that's been put into this by you. Pete

 

I didn't even bother to take much part in the thread because I could see from the start where it was going.

In fact the comment about ZA accepting defaults just about has it I think.

Upon install, ZA asks if you want to enable certain functions, email and browser for example, to save the bother of having them pop up and ask for permission. Now I don't know for sure, but I am assuming that if this was how it was originally installed we have the answer.

Obviously ZA checks all programs that attempt to call out. It detects changes using MD5... BUT... in this case, if this was the first ever use of IE (He says he uses netscape by the way so that would be his download browser) then the "accept browser by default" setting would be expected to let it by. No MD5 because if it's never been used it hasn't changed. No warning because browsing and mail accepted by default.

Therefore I conclude that Dazed is a turkey, oh well.

 

Charlie! Nice to see you here! Stick around, register, whatever, okay??

 

May we all give thanks to him...