ZoneAlarm Pro Serious Security Vulnerabilities!?

Hello everybody,

this thread seems not to be about vulnerabilities in ZA any more, it is now more about the ethic. I respect and welcome all replies here because they show me your reaction and this is very important for me and my group. You know that I do not agree with many of you as well as many of you do not agree with me and my group. That is common in the real world I think (and no, I will not call you terrorists because you do not agree with me ).

I could present many arguments against the biggest opponent (dallen) of ours but that is not my point. If dallen is interested in my thoughts he will PM me.

What I want you to think about is the difference between our group and so called 'penetration testers' or professional betatesters (PT). As PT we also have our own methods, exploits, tools we use to find bugs and vulnerabilities. These are not public properties and can hardly be public if we talk about commercial groups. If PT publish their exploits they will find nothing soon. Of course they can use well known exploits and tools but such an audit would be good only for very poor companies.

There are probably only three differences between us and PT. The first is that PT are always paid even if they find nothing. We are paid only if somebody is interested in our results and only if we find something. The second difference is that the initiator of the analysis of PT is usually the target company. In our case we are the initiator of tests. And the third difference is that our results are available not only for the target company.

Both of us are commercial and sell vulnerabilities, bugs, etc. As PT we do not force anyone to buy our results. If vendors are interested they can buy our results. However, we will not say that some product is good and secure if we know (and we can proove it) that it is not.

I believe that most of you respect the position of PT and do not call them terrorists. And you probably consider PT as good-guys. Now, do you think those three differences between us and PT make bad-guys from us. I do not think so. But do you?

BTW: We are going to prove that our results are real, just be patient. It is very probable that in the first week of July 2006 we will start with public advisories. We will present probably only one bug at that moment, but since then probably every month about 1-5 bugs will be released for 1-3 products. You will be able to read the description of the bug, understand it, download the testing program (including source code), run it (on your own risk of course) and see the result (e.g. BSOD).

Thank you and have a nice day.

 

matousec,
Your desire to operate out of the public's eye seems consistant with your unethical business model. I no more desire to communicate with you in private than Zone Labs desires to do business with you.

 

I´m looking forward to this because of course we all want to know if your claims are really true. But I have a question (I´m no expert), what do you mean with "Locally exploitable bugs"? Does this mean that apps running on your system are able to completely bypass the firewall?

 

dallen: I just did not want to be offtopic, that is all. I am not sure what is your connection with Zone Labs but we are in contact with Zone Labs, they are interested in the case, they want to solve the problem if there is any in their software, they are no offensive like you. They behave correctly during our communication. So I can not see where your information come from that ZL do not want to communicate with us. Whether or not ZL will do a business with us is still an open question, neither of side can confirm your words.

It seems that it is you and only you that want to make bad guys from us. I do not know why, I would really like you to PM me to explain to me why you say here things that are not true. I am interested in your thougths and I also would like to explain things to you but I think all this is offtopic and should be discussed in PM.



Rasheed187: Our definition is in the methodology reference in section bugs on our site. Simply said if the bug's character is said to be Complete system control and its exploitability is local then yes, apps running on your system are able to completely bypass the firewall.

 

You are entitled to your opinion just as I am.

No. We are talking about third party companies, akin to but not quite like the Pen Testers (with their own special tricks...) that Mat mentions before. It's hardly a big secret.....

See http://labs.idefense.com/vcp.php for example, even though this is hardly news...

 

About Dallen

Relax, it's jus one of Dallen's pissed off issue of the month/year. Once he has some target set in his eyes, there is no turning back or changing his mind.

 

We seem to be getting an entirely different idea from what Zone Labs Forum Moderator is saying:
http://forum.zonelabs.org/zonelabs/board/message?board.id=security&message.id=15510

Seems that ZL's "more official" stance is that they are not trusting you. Note that the forum moderator does not normally locked or delete threads with regards to vulnerbilities being found in ZA in the past so that users can discuss it freely (unless it was already posted before in another thread to prevent repetition). The thread that had your "vulnerbilities" instead was locked which is rare.

Wilders Security moderators had deleted your first thread about these "vulnerbilities" too.

 

This is probably an action of someone who is not in contact with representatives of ZL because in mails from ZL there is nothing like this. This means that what you write can hardly be an official attitude of ZL.

 

I have to agree with Dallen on this one.While matousec really may have discovered vulnerabilities ,in both kerio and Za ,the way that matousec has published this ,leaves a lot to be desired ,and does seem to be holding the companies concerned, to ransom through spreading fear and suspicion through thier userbase. .First of all is it really ethical to say
"We do not think there might be a worse personal firewall from the security point of view than Kerio Personal Firewall 4.3.246. We strongly recommend all its users to change the personal firewall" while not actually showing the millions of users what the problems are?.Matousec..have you actually contacted sunbelt about the vulnerabilities and have they responded?.If yes to both then maybe you should explain to readers what thiers and your response was ,to warrant your site comments ,and maybe get more people to understand your methods.The same goes with ZA.If you were/are in contact with Zonelabs and they want to "solve the problem" then why spread fear and mistrust of thier product before giving them the chance to fix it?...or was that the intended purpose of your reviews? , because thats how it comes accross to me.If you found problems and ZA told you to go away ,then by all means make it public ,but giving the reader a little more info regarding this would be more appropriate in my humble view..
ellison

 

Devil's Advocate

Absolutely. Just because we do not agree on a particular topic does not mean we cannot discuss the matter. After all, is this not how ideas change and people learn?

Thank you for clearing this up. Obviously, I did not understand what you were talking about.


matousec

I have no official connection with Zone Labs, I am simply a customer.

You have changed my mind. I will be sending you a PM explaining my position and will await your response. I am currently out of town and will be traveling today, so the earliest you should expect the PM is later tonight or early tomorrow morning.

Devil's Advocate

You could not be more wrong. However, this goes back to having your own opinion and I will respect yours even if I completely disagree with it.


ellison64,
Thank you for agreeing with me.

 

The forum moderator is in fact from ZL and is the only one who can easily communicate with the development team and pass down any news from them. Even the gurus on the board do not have this privilege and when they want to contact ZL, they have do so via normal tech support email and get their reply only a few days later.

 

Briefly and IMHO.I ve read this topic,about ethics,about how ZL should deal with such cases,"terrorists" etc.It's like hearing the CEO of ZL discussing the issue in his administration board.I am the end user customer.My concern is the safety of MY PC,not the ethical problems or blackmails ZL has to deal with.

To use a similar example as before,one may phone Ford and say that he has discovered that in particular driving conditions,the car gets out of control,but wants money to reveal these conditions.Now,supposed that i have bought that Ford car,what is my concern?Not to be killed or whether Ford has to deal with ethical problems?Isn't it ethical problem for Ford towards me,the driver,that she knew about a potential danger and let me drive the car anyway? OK,let's say that the person that phoned Ford is unethical,what does this make Ford towards me?Ethical?

IMHO,if these exploits are REAL,and be exploited maliciously,the fallout will be a lot worse for the reputation of ZL,cause the client will simply lose faith in the firewall,just like i don't trust Kerio firewall 4,since i ve been using it from the early betas and it has caused me so much trouble with bugs ,that i simply won't use it even if they tell me that it's OK.If i were ZL,to protect my reputation,i would buy 1 (as sample) of the supposed vulnerabilities.If it's true,then it would become serious.If it is not,i would make a joke out of the author,divulging the results with all means available and then sue him,if not for fraud ,at least for maliciously blackening the reputation of my leading product(and i suspect the court would grant me a compensation well over 200$).But as i said before,that's not MY problem.It's ZL's problem.ZL has to decide on what's better for her reputation,i have to decide what's better fot the safety of my PC.

Now,i say openly that i use ZA Free,so anyone can reply with "you didn't buy it ,so why complain?".But i don't think it would be a rational reply,but rather a sophism.If had ZA Pro,i would have wanted the same thing.No matter if your parents donate you a car or you buy it,you want it to drive safely.That's the bottom line for me.

Regards

 

Hi, ur logic is wrong. It,s rare for cars to have big issues so often. On the other hand softwares are never so complete, they always have vulnerabilities, if u cover one, another comes.( BTW, I don,t mean that ZA people should not care for this but the way of these so-called analyzers is just like black- mailers. I really hate this attitude. Why not they make a firewall themselves without serious vulnerabilities if they are so capable and people will be happy to pay them money in taht case. They seem to be destructive minded rather than constructive).)

 

You 're right.Cars don't have problems so often.The issue is still there though.You keep saying what ZA people should do.I don't know what you are,i know that i am an end user.So,if i get hacked,or my father's business is,and i get to know that it was part of these famous vulnerabilities,should i be angry with ZL or not?Or should i feel OK,because i support ZL in their ethical confrontation with the author,while i HOPE that those vulnerabilities are not real?

In my opinion,things are 2.Many things in life are unethical.But blackmail is illegal,not unethical.So,to get things staight.If this is a blackmail,ZL should sue him.If they beleive it's a lie,they should sue him.Leaving it pending in mid air doing nothing is only damaging their own figure even if the author for moral reasons can be seen as immoral.If it's unethical,they should figure out what's better for their reputation.If their end users get hacked,they won't care about ZL's ethics.That's what i m trying to say.

 

P.S: ZL is in the security camp,not just any software.Leaving supposed "critical" vulnerabilities without other reply than "it's immoral","they blackmailing us","we don't know if it's true" isn't very reassuring for the customer,at least in my mind.You don't want to pay?Then make your staff find them themselves ,so that no other guy from outside can claim he found them first.You claim it's blackmail or lie?Fine,sue him,both are illegal,so that your customers can come to your support and back you up against him and let the Law judge who's right.
But leaving it like that?If they keep accumulating "vulnerabilities",simply it will acquire the fame of Sygate which they never bothered to close the proxy vulnerbility or IE6 because they don't bother to fix quickly the holes.What ZL will keep saying?"It's always that author who keeps finding supposed vulnerabilities,so don't beleive him ,cause it's immoral"?

Today's society is about being paid for everything,not morality.I m a medicine student.You 've no idea of what deals happen behind the back of the masses of people to promote a drug,or how to grab for first a "potentially" or "Promicing" molecule from a small independent research center before another drug company grabs the patent on it or the "blackmail" that you,as patient,gets,even if you don't know it,just because your doctor is taking "rewards" from a certain drug company to prescribe HER drugs to you instead of another drug that may be even better or cheaper,but is from another "competitor" company.Or do you ever wonder how drugs approved by the state authorities as safe,sometimes happen to be proven later dangerous for health?Because "blackmails" happen all the time to doctors who do the trials,to state officials etc, in order to accellerate the release in commerce.And people get scandalised for 150$ about a firewall?? Ok,one can be scandalised,but for the end user,i don't think it can be left like that forever.

Anyway,i m not trying to convince anyone and usually in a forum you don't convince anyone.I just wanted to say my opinion from the POV of how a user feels,not how ZL feels.I mean,i use ZAF because i think it's safe ,not only because it's free.They give a free version,so it's good for them too.In a couple of years,that i ll be a doctor and won't mind so much about money anymore,if i still have faith in ZL,i ll probably buy the Pro,since i like ZA(that's the idea behind free versions anyway).But if i don't have faith in ZL's policy anymore,i ll go buy another firewall,since the choice of paid firewalls is much wider.

Regards

 

Hyperion,
The real question to be asked is whether you will "buy the Pro" with money that entered your pocket as a kick-back from a pharmaceutical company. I hope that you become part of the solution and not part of the problem.

Regarding your Ford analogy, I think it would be prudent for Ford to at least look into your claims of discovery. It could even be negligence if they did not. However, they should do so quietly as not to invoke fear into their customer for what may later prove to be no good reason.

 

I have been communicating with matousec privately (something that I had previously stated I would not do) and my opinion has changed (not entirely, but rather partially).

Contrary to Devil's Advocate's earlier statement:

which I consider to be total crap. I do not target companies or individuals and I most certainly maintain and open mind, which is subject to change. In fact, my opinion of him/her recently changed.

My exchange with matousec has caused me to reconsider my stance. In my message to matousec I informed him that ethics are based on values and values are a function of cultural norms. Therefore, what may be unethical to me based on my beliefs and values may be perfectly acceptable to a person raised in another culture. However, I maintained that what he was doing and the way he was going about it did not sit well with me.

After having taken the time to better understand his points of view and learn a little about his thinking, my initial conclusion was both premature and overly harsh.

I do not retract my words, nor to I entirely withdrawal my conclusion. However, my "terrorist" comments that compared matousec's approach to that of a hostage taker were inaccurate. matousec seems like a businessman who's intentions are to profit from the improvement of security.

Zone Labs should, in my opinion, maintain their position publicly while privately exploring whether matousec's claims are legitimate. Not exploring the possibility could be seen as being negligent in the future.

 

I hope i will part of the solution too and maybe i ll accompany my ZA Pro order with ceritification that i didn't use immoral ways to earn that money with which i ll pay,since ZL's policy is revolving so much around morality Everyone has to deal with his own conscience,not only with the law.If i were matousec,i would have consciense problems,but he is not me and unless ZL considers him acting illegally,the way he wants to make his money is a secondary concern of me-the end user.At the end,the user has a relation with ZL,not with Matousec.

I agree with your Ford comment too.But we keep talking of how Ford/ZL sees the issue.The problem here is that the issue has gone pubblic and ZL doesn't seem to care.This isn't "news".I 've heard of this claim some time back.It's pubblic.And seems that ZL has still done nothing to approach the immoral author or take any action for what matters.So,i would like to understand,according to you,an average ZA user that happens to read matousec's site or ZL user forum or read this news in various sites,not necessarily specialized in security,but off-topic,what is he going to think?Sympathize with ZL and think "oh,heck,that matousec is just another lunatic script kiddie who wants money selling hot air,poor ZL,no discussion with blackmailers!"?I sympathize with ZL,but i like my PC more.

I mean,is there a worst fear than uncertainty?You 've studied psychology.I think the users will feel MUCH more releived to know that ZL has taken legal action against him,or that have denied pubblically his claims,or that otherwise are negotiating with him or that have admitted the vulnerabilities are true and will be fixed.I guess we ll have to wait till July and see if the released "free" adisory is real or not and whether then ZL will decide to do something about it or will continue to ignore the issue because of the immoral means the author uses.

Anyway,from the replies till now,i guess most users take into consideration ZL's sentiments as first priority,although it comes as suprise to me,but human nature is an abyss.

I really have nothing more to add,i m starting repeating my previous posts.

 

Regarding the "legal action" proposition, I cannot speak to whether matousec has violated any laws. I am sure, however, that Zone Labs has very capable legal representation that will make that determination. That being said, one would have to ask if doing so is a good business decision. After all, wouldn't it be cheaper to simply buy the potential exploits and prove whether matousec is right or wrong?

 

Hi,folks: So much has been debated, discussed and concerned. The issue or so called problems still have not dealt with by ZL(at least publicly). We can debate the legal issue between ZL and the KID all night along, what about the class action suit which may arise due to the negligence of ZL?Another kind word for ZL, this time is for CEO, it is the time for you to speak up, telling your royal clients what is your position on this critical issue, are you still sittin in your ivory tower looking out the black clouds? My grandfather often told me : when it rains, it ofen pours. I do hope your roof does not leak.

 

You are probably right.I don't know if it can be legally defined a blackmail,if yes,in that case ,ZL may have profit,not so much econimically speaking but as policy,to "cut the knees" of any future "matousecs" that would dare to think of doing the same.If the vulnerabilities don't really exist,it would be again a nice lesson to others,plus it could be used as promo to show that "ZA is a secure firewall and even certified by a judge".

If we go even further,it may be even cosier for ZL to...hire matousec ,if it comes out that he did find these vulnerabilites.I don't say either that ZL MUST take legal action. What counts for me much more than the above that are ZL's headaches,not mine,is that as a user i would expect ANY kind of action.Something.Like i wrote before "I think the users will feel MUCH more releived to know that ZL has taken legal action against him,or that have denied pubblically his claims,or that otherwise are negotiating with him or that have admitted the vulnerabilities are true and will be fixed."

My problem is that from ZL there is silence since this issue came up.I would feel more reassured for the time being with a statement like "ZL is aware of the claim and currently is conducting extensive testing of the firewall in order to determine its next move and the serioussness of the claims".Instead silence,they close the topics in the forum and everyone is happy.One from that can assume anything he likes.They try to find if the vulnerabilities are true so to decide legal action or not?They managed to find 1 or 2 ,so they try to find more on their own and avoid paying him for all?They didn't find anything and decided to ignore him ,cause they don't want this issue to take more pubblicity?They did find something,but they don't want to acknowledge it ,because it could lead a new kind of "matousecs" ,a kind of "freelance"-immoral security analyzers that will follow his example and start this peculiar type of activity (either pay me or i ll say in pubblic that you ve got holes in your software)?I don't know.It's like waiting for the doctor to tell you *something* ,because the patient on the bed next to you says "Hey,i ve seen your symptoms before,you have the "x" disease".

 

I guess we,ll all have to wait and see what the holes are.Considering theres supposed to be so many, i dont hear or see many posts regarding catastrophic security breaches at present of either ZA or kerif course the holes if present should be patched.I still think matousec could do with a good PR guy though ,the way this whole issue has been presented and appears.
ellison

 

...and a good lawyer by the sound of things.

 

I agree.For someone "new" in the sector,his approach has been as careful as a bull in a shop selling crystal decorative items.He may be good,he may be a genious,but i doubt he gained many sympathies in either product vendors or users camp.

 

The best place to get good PR (and for free) would be to submit the discovered vulnerbilities to Secunia, have them verify the bug exist and rate how critical the bug is.