ZoneAlarm flaw isn't flaw in ZoneAlarm?

Discussion in 'other firewalls' started by Pretender, Jul 9, 2003.

Thread Status:
Not open for further replies.
  1. Pretender

    Pretender Registered Member

    Joined:
    Apr 23, 2002
    Posts:
    670
    Location:
    Virtual Paradise
    If you pay any attention to news about software or PC security, you've no doubt heard of a severe flaw discovered recently in the popular ZoneAlarm personal firewall. You may have heard that Zone Labs initially refused to fix this flaw in the free version of their software, saying that users would need to upgrade to the expensive Pro version to fix this issue. You may also have heard that Zone Labs has back pedaled and decided to address the issue after all.

    Here is something that you may not have heard. Most of that is not true. Zone Labs is not telling people to upgrade to the pro version to fix this flaw. In fact, there is no flaw to be fixed.

    This all started when someone posted a hypothetical password theft exploit to Bugtraq. In his hypothetical exploit, the person speaks of a rogue application running and stealing the user's passwords or credit card information.

    Read rest of article: http://www.spywareinfoforum.com/articles/zonelabs/exploit_hoax.php
     
  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    After whining by quite a few people, they are going to prevent the issue in the free version.

    The issue is not ZA, its a windows exploit, in which a certain trojan would have to be installed at the same time. So the user lets a trojan on their system, and then it uses windows exploits. In no way is this a ZA bug, but so many clueless newbies complained, along with bad PR, they are going to add this feature to the free version.

    Do you expect a packet filtering firewall to prevent a trojan the user let be installed by some means to run amok on the system with your windows files? NO, this is why I think the issue is so stupid.
     
  3. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    im a free junky lol newbies bend them to are will mawhaaaaaaaaaaaaaa
    doe i cant use winky eye need to allow active scripting lol
     
  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    The issue of is it a firewall problem or is it a Windows problem came up with the first leak tests published. I have always felt it was basically a design flaw in Windows that allows most leaks to work the way they do. In seeing what M$ has come up with, in Longhorn, to make their OS safer, I'm beginning to wish MS would let the 3rd party vendors take care of such issues.

    I still believe there are even more "leak tests" to be revealed yet, and it is my understanding that for a firewall type application to properly protect against such exploits, it is going to be necessary to use a sandbox type approach. If firewall vendors keep applying patch after patch to plug leak after leak, soon all the firewalls are going to be the same patched mess M$'s OSs are.

    What is going on is the equivalent to Electronic Countermeasures warfare. The good guys come up with a new technique, and the bad guys come up with something to counter it. Then the good guys counter that, and it goes on and on.

    SSM has demonstrated the fact that a sandbox approach to dealing with most of the leak tests did not take re-inventing the electron. Although it is not perfect, I think with a few more refinements, it will demonstrate that a sandbox can be run on a home computer with minimum hassle and maximum security. I personally think that the firewall vendors should take a serious look at sandboxing if they want to be competitive in the future.

    Getting on the computer and surfing the net should be a fun experience, or a safe learning experience for those that use it for education. I wonder when people are going to get tired of playing this game of I can break down your security, ha ha. Frankly, I'm getting bored with the whole mess and I doubt very much if someone is going to take the time and the effort involved to try to compromise my computer, and if they do, what have they gained? If you don't keep sensitive information on your computer, then no one is going to get it by any exploit.

    The best firewall has been and always will be the brain. Use it and the results should be favorable. :D
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    I agree, root. Powerful application controls or sandboxing is needed to prevent the exploiting of these Windows functions and features (aka. exploits). Most of the big name software firewalls have some amount of application control already integrated in them, but, as new exploit ideas occur to people, more powerful controls are needed to counter them.

    In fact, when you think about the ShellExecute() function and what it can do, Zone Alarm has to actually increase the capabilities even within the ZAplus and ZAPro products to make them 100% effective...

    Currently, the Advanced Program Control feature in the two pay Zone Alarm products can recognize and prevent (if the user answers 'No' to the alert) the calling of the default browser (or any program, really) from another program, as long as this call creates a new instance of the program and is not simply passed over to an already executing - and already approved for network access - copy of the program.

    Catching the new instance works effectively because that is obviously how Zone Alarm's Program Control is implemented - it recognizes at the first attempt to access the network that the program was run as a child to another program. ZA alerts that the parent program is attempting to make the child program access the network on its behalf. This concept is easy to understand, I guess.

    However, when a program is already running, and has been granted approval to access the network, Zone Alarm will obviously need to find a way to catch that another program is attempting to send it commands.

    If you take a look at this thread at DSLR - Security Forum you see a simple test with the ShellExecute() function. Down a ways in that thread you'll see my sandbox activity log and the explanation of what's different in that log when IE is already running versus being started fresh. Basically, even Tiny Trojan Trap doesn't monitor on a granular enough level to actually catch the passing of the URL to an existing browser session. All it sees is a Create in-process COM object and control then passes over to the existing browser session at some low-level inside the OS that isn't being monitored.

    It'll be very interesting to see how Zone Labs gets Zone Alarm to catch what's really going on and to prevent it until the user answers an alert. Since I'm not a Windows programmer, I have no idea how they'll trap this, but, if they do, then I'll be really happy because then my ZA+ and ZAP applications will be even more powerful then they are already.

    Zone Alarm Free is obviously going to be given at least a portion of this Advanced Program Control capability, meaning whatever functions are needed to trap these calls. Or, perhaps the entire Program and Component Control functions will be put within ZAF, I don't know.

    Of course, I have to wonder what is happening right now among some of the other software firewall vendors since many of them (though not all) are just as vulnerable as Zone Alarm. In fact, some of them don't even have code in place for trapping even the basic parent calling child to access the network... Should be interesting just how much advancement is going to occur in the software firewall world in these next weeks.
     
  6. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol longhorn whats that blaze puts halo over his head lol
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    >> longhorn whats that?

    Psst!! Blaze...
     

    Attached Files:

  8. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Is that the new windows operating system i see there?

    must be the southern windows verstion.

    hmmmm looks unsecure kinda heavy and bloated

    it looks like its by itself means dosent get along with other programs

    it must be made by microsoft lol
     
  9. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
Loading...
Thread Status:
Not open for further replies.