dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
41

bcastner
MVM
join:2002-09-25
Chevy Chase, MD

1 edit

2 recommendations

bcastner to Cudni

MVM

to Cudni

Re: MS update KB951748 and ZoneAlarm --- PROBLEM

The issue with different versions I think can be traced to how well the HIPS side of things handles the multiple new files used to replace the core of the TCP/IP stack. This would explain matters if an uninstall/reinstall, or reset to defaults did work for some versions.

For cases where it does not, I suspect the problem lies not in "bugs" with the DNS Hotfix, but with the nature of the change being implemented.

In the past DNS essentially used the "ephermal" range of TCP/IP ports, and a very narrow one at that. Part and parcel of the DNS Hotfix is to expand this range in a big way. This is to allow greater randomness, as the Port used is the basis in many cases for the indentifying transaction ID that controls the security of the DNS process. This larger randomness value reduces significantly the ability for a DNS spoof to happen.

It is this port expansion by DNS that I believe certain versions of Zone Alarm (and probably other firewalls) cannot handle. Moving the slider to "Medium" likely controls how narrowly and rigorously is port enforcement done by Zone Alarm. The DNS Exploit Hotfix changes the DNS ephermeral port usage in substantial and signficant ways. This has to be done in order to make secure the entire DNS system. There is nothing buggy about it, it is part and parcel of the necessary changes being enforced by the Hotfix.

My opinion.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni

MVM

said by bcastner:

For cases where it does not, I suspect the problem lies not in "bugs" with the DNS Hotfix, but with the nature of the change being implemented.

Indeed, if it was a bug in the fix there wouldn't be just ZA users loosing connection. In one of the posts above ZA user allowed few more ports in High settings which removed the restriction of the inbuilt rule blocking the update. It surprises me that ZA database is somehow acting abnormally in respect to the files updated this time.

Cudni

bcastner
MVM
join:2002-09-25
Chevy Chase, MD

1 recommendation

bcastner

MVM

While I think HIPS updating is part of the issue for some versions, I suspect the larger range of ports being used by DNS explains why clean installs do not resolve the issue for some versions, and moving the slider "works".

Unfortunately for those using such effected versions of Zone Alarm, there will be no backdown on this change. It is at the core of what is necessary to do in order to increase the randomness of DNS transactions, and it is fundamental to the problem and its resolution.