ZoneAlarm Pro Serious Security Vulnerabilities!?

Discussion in 'other firewalls' started by ronny, May 31, 2006.

Thread Status:
Not open for further replies.
  1. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Interesting read here
    Did i waste my (hardearned) money when i bought it (several licenses)?
    Any comments?
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
  3. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, All: I have read a while ago when the author posted his findings on this forum(but has been removed since). Up to this day, we are still awaiting ZA's official response. What If somesone would purchase the CODE(they are offered for sale on his web site) and commencing hacking? I rather not to image.:mad:
     
  4. olap

    olap Registered Member

    Joined:
    May 20, 2006
    Posts:
    95
  5. matousec

    matousec Registered Member

    Joined:
    May 17, 2006
    Posts:
    32
    Hello, we are also awaiting ZA's response.

    Anyway, we will not sell our work to malware creators. Our analysis is intended for vendors and pen-testers. We will not sell our products anonymously - this should discourage those that want to create and spread malware with it.
    We will also publish bugs for free regularly (probably since 01/07).
     
  6. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, this is exactly the kind of attitude and approach i am expecting from you. I do admire your excellent work, you are a new kid on the block, carry on your goodwork, surely the viewers will support you all.:thumb:
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So who can buy this code except ZoneLabs and hackers? I am confused.
    Also I am still confused what is the aim behind all this?
     
  8. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    Last I recall this was posted, the Moderator deleted the entire thread.

    The security tester should submit his list of 'vulnerbilities' to Secunia to see if it holds any value.
     
  9. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That link was removed recently by one of the leaders of Wilders, don't remember who.
     
  10. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    After having read the allegations made by matousec regarding Zone Alarm, I am not convinced that the conclusions are sound. The page seems littered with errors. From the "Tested version" section where the differences between Zone Alarm Pro and Internet Security are erronously described to the "Security" section where the author makes unfounded allegations about Zone Labs' programmers and their ability to program under Windows NT.

    I hesitate to make the same mistake as the author of the referenced "tests," but I am willing to bet that the author's obvious financial motivations have tainted the author's ability to objectively evaluate the software. Furthermore, my conclusion is that these findings are without merrit. My guess is that Zone Labs will not respond to these findings because a response would only give credibility to these findings and I'm not convinced that the findings are deserving.
     
  11. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    A similar thread has been posted on the ZL forum (which is now locked) and the forum moderator has replied to it. His words can be almost taken as the offical stance of ZL on this issue:
    http://forum.zonelabs.org/zonelabs/board/message?board.id=security&message.id=15510

    Like what the forum moderator said, any respected security researcher would disclose vulnerbilities to the software company concerned and notable websites like Secunia for no fee. Asking for money just causes people to question your motives and legitimacy of your "results" and is more likely to be a scam.

    I am just surprised that the Wilders Security Moderator haven't deleted this thread like the previous one that was posted here.
     
  12. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    People tend to trust those who have no financial incentive when testing products.
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I don't mind that the link isn't removed this time. Both, good and bad things need to be said.
    I don't know if it is true or not, only firewall experts can be the judge of that.
    Why selling all these bugs anyway? Good grief, $260 for one bug, that's blackmailing.
    Must be a new way of making money on the internet. LOL
    Meanwhile I keep on using ZoneAlarm (free or pro), because ZoneAlarm is much cheaper than its so called 'bugs'. :D
     
  14. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,all: after reading the locked link to ZL, I just could not believe what I have seen. ZL is a leading player in cyber security, everyone including myself is looking up them for leadership and guidance. In the wake of wild discovery of potential and perhaps critcal flaws in their flagship app by a NEW kid in the block, they are panic and act like a chichen w/o head. First, they discredit the author then choose not to act and react by hiding their head(only if they luckily find one) in the sand. Some folks may be old enough to recall the auto giant(not any more) FORD/pinto sega, same pattern of reaction has been followed. At the end, FORD paid for their mistakes very dearly. The author may have some ethical problem by offering his findings for $$. By the same token, ZL sell their work to for $$$ as well. Who is ethical and who is not is question of your judgement. My main concern now is that what IF(hoping it is a big IF) his findings have somewhat merits, and ZL still sit in an ivory tower looking out refusing to do ANYTHING, are our wellbeings in this cyberworld been protected. We have paid ZL $$$ for protection and the PROTECTOR is trying sidesweeping their problems under the carpets. A kind word for CTO at ZL, this is the time for you and your interllectuals to show us that you do CARE!:mad:
     
  15. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    If you visit that "security" website now, you would see that they have done a test on Kerio and also found a long list of "bugs" for Kerio and advise people not to use Kerio and switch firewalls. I wonder what is Sunbelt Software's official take on the matter. I would not be surprised if its the same:
    http://www.matousec.com/projects/windows-personal-firewall-analysis/Kerio-Personal-Firewall-4.3.246/

    If they want to charge thats up to them but at least file the bugs say to Secunia to have the bugs verified. Charging for the "tests" and not having someone external verify your work just raises your questions. From the forum moderator's answer, ZL is aware of the tests but they are also aware that it may be a scam and are not willing to for out big cash especially for work that is not verified or even picked up by a editorial board. I just think that this just calls for the use of common sense (which is not common these days) and not jumping onto everything that is claimed to be a bug.

    P.S. ZL doesn't sell all their firewalls. ZA (free) is still available for free. Those who buy did so voluntarily because they'd like a feature that is not present on ZA (free) or they don't mind paying for a high-quality firewall.
     
    Last edited: Jun 3, 2006
  16. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    The dilemma arises though, when supposedly agnitum has apparently asked matousec to test thier new version 4 firewall,therefore giving them some credance in thier ability to fault find etc.I dont know whther they are genuine or not ,however thier wording regarding kerio and ZA seems provocative to say the least.
    ellison
     
  17. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Perman,
    Your reasoning is seriously flawed. Based upon your logic, Zone Labs should pay me simply because I claim to have bugs for sale. If that was how things worked, then I would be rich. Furthermore, Zone Labs selling their security software that is designed to protect is not the same as selling ways to exploit Zone Labs software. Based on that logic, Microsoft is the same as cyber criminals that sell bot networks.

    As an industry leader, Zone Labs is doing just as it should, contrary to your conclusion. You think that Zone Labs should heed to every extortion attempt from every "NEW Kid" on the block. I disagree. The individual(s) behind this so called "finding" may very well be kids simply trying to earn a fast buck. I would be willing to bet that smart business men or women are not behind this. I think this inference can be drawn from the manner in which they are operating.

    Ellison64,
    Your intuition seems correct. Their wording is provocative, indeed. I would go further and label it suspicious. Their modus operandi only adds to that suspicion.
     
    Last edited: Jun 6, 2006
  18. FirePost

    FirePost Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    212
    Anyone that visits the site and reads the blog will see that Agnitum only asked that the testing be carried out on the forth coming version 4 rather than the current 3.51. That is not the same as asking for a test. From the blog.
    Better stated and more correct:
     
    Last edited: Jun 8, 2006
  19. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    Whichever way you interpret it though ,agnitum (according to the blog) seems to be a willing participant in matousecs testing methods ,otherwise they wouldnt have even acknowledged them imo.
    ellison
     
  20. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,Dallen: Just came across your comments. I like to take few minutes just to let you know my reasonings behind my earlier views, NO intention to escalate ANY furthur debates. You have a good academic credentials around your waist, I do respect you. As you know any leader in any field, in order to continue growth, they must keep their minds OPEN, I mean open to any suggestions from right to wrong, and never SHUT their ears or TUNE thier receiver on selective frequency. This NEW kid on the block, could be just as young as your grandson with lots ideas, his behavior to solicit $$ for his work may leave bad taste in somepeople's mouth, but it does not constitute any intention for extortion(as you label it); not just targeting ZA. The refusal from ZL to deal with these alleged flaws and LOCK the link to this matter on their forum just illustrate something fishy on their part. Again, a very kind for CTO at ZL, this is the black cloud on the horizon, be wise to deal with it before it becomes a catagory 5 hurricane. This kid has mentioned(not a threat)that he will publish his findings in public in Jan, 2007. Be there folks, and be a judge. BTW, ZL has upgrade ZA pro to V 6.5 700, is it still vulnerable to these findings(or should be called threats).
     
  21. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    What i find a bit disreputable is that matousec said that they were waiting for ZAs response and yet still slagged thier product off publicly at thier website..Now if there were serious bugs in ZA and matousec are a proffesional company or whatever that charges for thier services,then surely they would have approched ZA and sunbelt ,covertly ...explained thier findings etc etc and maybe ZA or kerio might have been more favourable in thier approach to matousec..Perhaps they did this but i see no evidence at the site regarding this.To most observers it looks like matousec have found faults (allegedly) ,then published the fact publicly on thier website and discredited ZA and kerio ,with an offer to disclose the "bugs" for money.The fact at present though is that millions of people use both these products withot much complaint or problems with thier security.
    ellison
     
  22. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: furthur to my previous posting, I have received a private message from matousec indicating that there are two errors needed to be addressed. First is the date for public release, it is july 1,2006 rather than jan.1,2007. Secondly, the scope of releasing info is limited to a few but regular, rather than all bugs. And the products subjected to testing are not limited to ZA products.
     
  23. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    On July 1, 2006, it sounds like we will find out for sure if matousec's claims are legit. We've already learned that matousec's business practices are ethically irresponsible. My decision, if I were running Zone Labs, would be to give this matousec the attention he deserves. None.

    Do you think Zone Labs became the industry leader by developing an easily exploitable firewall? This is not to say that Zone Alarm is impenetrable, but it is certainly among the best on the market.

    Negotiating with matousec and paying for the "exploits," and I use the term loosely, would be a lot like negotiating with terrorists. The instant you go down that path there is no return and you give everyone a financial incentive to become a terrorist. Some may say my analogy is extreme because matousec is not a terrorist. I agree, he most certainly is not. However, it seems matousec is attemping to take Zone Labs "hostage." First he says, I have keys to your palace and if you want them back you must pay. Sounds like extortion to me.
     
  24. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Dallen.

    It's difficult to say. My perception at least is that on the home user market, it's reputation as the leading firewall was helped by good marketing strategy rather than pure technical expertise, not to mention excellent PR help from Mr Steve Gibson.

    I'm not going to weigh in on whether it is right to pay money for vulnerabilities, but you might not be aware that such a practise is certainly being done on a fairly large scale by big security companies who offer bounties on serious vulnerabilities, and such information is then used to protect clients which include big fortune 500 companies and government entities.

    Compared to the sums of money paid by such companies, what matousec is asking for is peanuts really. Of course, I seriously doubt if what matousec found is comparable , but what is sauce for the goose..........

    I personally would support the efforts of Matousec , they look creditable enough to me on first sight with a fairly comprehensive testing methodology. Certainly they exhibit knowledge that surpass the typical run of the mill poster here, even some credited with the "expert" tag (no offense to the experts with that tag).
     
  25. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    Mr. Gibson is quite knowledgable and his endorsement usually is indicative of solid software. PR from the mouth of Mr. Gibson occurs after the development of a good firewall. I do not dispute your thoughts regarding the power of marketing.
    By "bounties on serious vulnerabilities," I think you are referring to companies that offer rewards for individuals that are able to discover vulnerabilitites in their own software. If that is what you mean, that is a completely different animal and it is far more ethically sound.
    From an ethical perspective, my view is that the amount being "demanded" is irrelevant.
    You are of course entitled to your opinion just as I am. We will have to agree to disagree on this point. Your point is well received.
     
Loading...
Thread Status:
Not open for further replies.