Is this hole still there?

Hello folks,Hello folks,

Here you can read about a way to by-pass ZA Pro, an old flaw that may still exists in other software FW’s. Is it still there?

Read this with care:
http://castlecops.com/t134369-Bypassing_Personal_Firewall_Zone_Alarm_Pro_Using_DDE_IPC.html
Like to hear your comments?

greets,

polonus

PS It happened to me in the past once ZA was completelyy taken out, I had to switch to Sygate for a while. Who of yours truly is switching software FW once in a while just for security reasons? Only use one of course at a time.

polonus

According to Secunia there are no things that are unpatched in ZA.

Another old one Polonus.
When you run it you get the following query from ZA
Deny it and it’s blocked. If your stupid enough to allow it, then you’ve
allowed the burglar into your house. ;D

Please see info from Castle cops regarding this vulnerability

[b]Zone Labs response to "Bypassing Personal Firewall[/b] (Zone Alarm Pro) Using DDE-IPC"

Overview:

Debasis Mohanty published a notice about a potential security issue
with personal firewalls to several security email lists on
September 28th, 2005. Zone Labs has investigated his claims
and has determined that current versions of Zone Labs and
Check Point end-point security products are not vulnerable.

Description:

The proof-of-concept code published uses the Windows API function
ShellExecute() to launch a trusted program that is used to access
the network on behalf of the untrusted program, thereby accessing
the network without warning from the firewall.

Impact:

If successfully exploited, a malicious program may be able to
access the network via a trusted program. The ability to
access the network would be limited to the functionality of the
trusted program.

Unaffected Products:

ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
and ZoneAlarm Security Suite version 6.0 or later automatically
protect against this attack in the default configuration.

ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
and ZoneAlarm Security Suite version 5.5 are protected against
this attack by enabling the “Advanced Program Control” feature.

Check Point Integrity client versions 6.0 and 5.5 are protected
against this attack by enabling the “Advanced Program Control” feature.

Affected Products:

ZoneAlarm free versions lack the “Advanced Program Control”
feature and are therefore unable to prevent this bypass technique.

Recommended Actions:

Subscribers should upgrade to the latest version of their
ZoneAlarm product or enable the “Advanced Program Control” feature.

Related Resources:

Zone Labs Security Services http://www.zonelabs.com/security

Contact:

Zone Labs customers who are concerned about this vulnerability or
have additional technical questions may reach our Technical Support
group at: http://www.zonelabs.com/support/.

To report security issues with Zone Labs products contact
security@zonelabs.com. Note that any other matters sent to this
email address will not receive a response.

Disclaimer:

The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information. Zone Labs and Zone Labs
products, are registered trademarks of Zone Labs LLC. and/or
affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in
this document are the sole property of their respective
companies/owners.

Copyright: (c)2005 Zone Labs LLC All rights reserved. Zone Labs,
TrueVector, ZoneAlarm, and Cooperative Enforcement are registered
trademarks of Zone Labs LLC The Zone Labs logo, Check Point
Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point
Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat.
& TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC.
All other trademarks are the property of their respective owners.
Any reproduction of this alert other than as an unmodified copy of
this file requires authorization from Zone Labs. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by Zone Labs LLC.

Hello P3t3rb0nn,

Good to hear the latest version of ZA patched it. Good to hear. But maybe other software FW’s still have it. Good to test your variety of Firewall.

greets,

polonus

Yes polonus you are so so right better to safe than sorry and as you only know to well prevention

is always imho always better than cure

Regards p0nn

prevention is always imho always better than cure
Unfortunately sometimes to much or the wrong choice of your prevention, can be worse than the cure.....

You won’t get an argument out of me on that point bob> :wink: been there done that> at a guess like quite a few of us, however, we tend not to make the same mistake to many time over fingers crosed ;D ;D

Hi folks,

The hole is still there for ZA free, why you can read here:
http://www.uniras.gov.uk/niscc/docs/br-20050930-00856.html
Here it stinks but only on the ZA Pro and ZA AV, you are protected against this bypassing your firewall.
In what way can you have additional security that prevents this hole being used? Or do users have to leave ZA free for another free software Firewall?Checkpoint has the hole too. Some questions here.

greets,

polonus

You will find that this vulnerability/hole is present in many firewalls and not just ZA using IE. Any firewall and browser may be affected.

I fell into this hole when I ran the proof of concept (PoC) program with Outpost Pro 3.0 (the latest version) and firefox (what ever your default browser is, it will use that provided it gets past your firewall).

I have a thread in the outpost forum, but negligible response other that to suggest either ProcessGuard (which I don’t like and installed) and SSM (System Safety Monitor). I have downloaded SSM but have yet to install (after my next disk image backup) and then run the PoC again and see what happens.

So I suggest that you test your firewall even if you haven’t got Zone Alarm.

Hi DavidR,

About SSM, I personally have this program on my computer now for some considerable time. I cannot but say I am very satisfied with what it does. It is very tweakable. It alerts even before a process being started within a program, if it does not do the same or is altered, or updated. This free version of mine expires at the end of the year, and has to be renewed. And very reliable, because when your system does get terminated in another than normal fashion, it will not start up again. You have to restart again to load it, so it is not affected there. I am full of praise for the makers. A good Russian proggie. I can recommend it strongly.

polonus

I will be installing it on Sunday after my weekly system maintenance and disk image backup.

Perhaps you should try downloading the PoC to test your firewall and see if SSM intervenes.

Hello DavidR,

How do you do your system back-up, I at my job every week on Fridays automatic on DVD in a grandfather-father-son routine. Safety first.

polonus

  1. At least two partitions: 1st: programs and OS; 2nd: settings, data and documents
  2. XXClone (entire clone 1st partition on-the-fly under Windows).
  3. Norton Ghost (weekly in another USB HDD).
  4. Minor copies and backups in CDRW 8)

I take full (not incremental) backup images of the partitions on my primary HDD to a second HDD which is only use to store backup data.

I take an image weekly and it is a full image not incremental and Drive Image (DI) retains a count so I keep 5 weekly images, it deletes the oldest and creates the new image with the next number, e.g. C_Drive006.v21, etc. So I keep 5 copies so I have a Great,Great,Grand Father and his off spring ;D I also take daily backups of my volatile data files (docs, email folders, favourites, addressbook, etc.), use a little mirroring tool and batch file for this, which keeps the two data backup folders in sync.

So worst case scenario is 6 days loss of programs/tweaks, etc. and 1 days worth of volatile data.

Only recently installed a DVD re-writer, but I prefer to keep the backups on HDD, I know the flaw is in the fact that it is all on the same system, but that has worked for me for many years. I am however considering a DVD-RW back-up strategy as my DI v7 can backup to DVD where DI 2002 couldn’t.