Broadband Tech > Security > Security > Zone Alarm security Hole-confirm from Steve Gibson

Zone Alarm security Hole-confirm from Steve Gibson

Well, that's about a straight an answer as we could hope for without disclosing the actual details. But then we've discussed many possible 'holes' in software firewalls running on Windows systems in several threads recently.

The fact that Gibson did not make this announcement at the same time that LeakTest results were released is no doubt another sign of his favoritism of ZoneAlarm. No secret for a very long time. Personally, I do see it as a dis-service to us all that he didn't announce it publicly earlier. Then the announcement would have read something like:
Problems:
A - every software firewall except ZoneAlarm
B - every software firewall except ZoneAlarm
C - every software firewall except ZoneAlarm
D - every software firewall includingZoneAlarm

But I'm also curious as to why this Diamond Computer Systems didn't come forward with the revelation also. Most curious that so many people are so reticent to reveal this secret ... that isn't so secret anymore!

Congrats, EmilioG, for bringing it out into the light with documentation for the backup.

[text was edited by author 2000-12-27 06:20:47]

Yes, those are good questions; Why are these people so reticent? Why are they so reluctant to reveal this secret?
I just found it very strange that SG didn't find even one possible vulnerability in ZA. Nothing is perfect, and that is what he was making it sound like.

I have no personal vendetta towards' ZA or any particular firm loyalties towards any s/w, I look at all this very objectively and tried to research it scientifically. As you know, I now use ZA, albeit with some problems, and I do like it, I just want to know more.

I'll post any new findings as I discover them. 2K, do you have an address for this diamond company?
--
Regards, Emilio

Its failings notwithstanding, there is much to be said in favor of journalism
in that by giving us the opinion of the uneducated, it keeps us in touch with
the ignorance of the community.
-- Oscar Wilde

I did a search for Diamond Computer Systems - found one outfit in Canada. Sent inquiry "is this you" to them. Their web page wasn't 'big business' impressive, but Steve Jobs started in a garage on borrowed money....;)

reply to 2kmaro

Firstly a big thankyou also for the info Emilio.
A search for Diamond Computer Systems revealed the following and I thought it relevant to post anything to do with this.
There are 2 listings found so far and this is more than likely the one that Steve Gibson is referring to, given they have their own firewall package called 'Trojan Defence Suite' and this site which I think is basically an ISP.

My comment is one of dissapointment for people who have read the good things about ZA and on the strength of that are using the product. That is not to say the program is no good any more and everyone go find something else.

The Leaktest release was about 3 weeks ago and no word / update / alert or anything from ZoneLabs in that time. How many are one the mail list? I know I am. How easy is it to send out an advice? It is easy when it's sales oriented.

A hole in ZoneAlarm had to be found sooner or later. The program is too popular and obviously is a thorn in the side of other firewall developers. Users can at least take heart that the hole was discovered and reported by Steve Gibson and not spread through the net within the hackers world.

Trying to Enjoy
John

reply to EmilioG
Does this also affect the ZA Pro?

[text was edited by author 2000-12-27 07:25:51]

reply to 2kmaro
Maybe you can help me on this 2k,

I saw your reference to SG being very pro ZA. It just strikes me odd for one reason. If my memory serves me correctly, I remember him "ratting out" the other firewall programs in an instant, and telling what the vulnerabilities were.

Yet when ZA has one, he is hush,hush about it.
Don't get me wrong here, I myself am a supporter of ZA and have used it for quite sometime now.

If my observations are correct, then Steve Gibson has just lost all credibility with me. In my town, he would be called a sell-out.

If my observations are incorrect, then let me know.

reply to EmilioG
We really don't know what transpired when Steve Gibson did those tests. I do know the folks that make Black Ice sent me a holier than thou message back when I inquired about it's ability to stop unauthorized outgoing traffic. That may be what set that whole scenario up.
--
"Rome did not create a great empire by having meetings. They did it by killing all those who opposed them."

reply to CJ
I don't know if Steve Gibsons' a sell-out. I do know that he waited a year before revealing the results of his leaktest to the public. He gave Symantec a year to get their act together, I don't know about the others'. He has been in contact with Zone labs' and Diamond CS, and if you read the Email, you know the rest, so far. Its' a tough position to be in, but the public has the right to know.
8 million user's could be "had".

ausnetwanderer; the company, Diamond Computer systems, they're out of Australia, in Perth I think, I found them this morning after 2K IM'd me about a company in Canada, so I double checked and found Diamond in Australia and Emailed them. I'm waiting for them to write back. I also wrote to Steve again to get his response to other questions. And
*BTW, The Diamond CS program is not a firewall, it's a trojan scanner. They don't have a firewall as far as I can tell.

I'll reserve judgement. I don't have all the facts' yet and may never have all the facts', but like I posted once, I question everything. ZA and ZA pro are still good products, but nothing is perfect. Thats' why there are always updates and upgrades, and for a free program, they're not doing too bad.

I'll post any news as it develops. EG

[text was edited by author 2000-12-27 12:34:14]

Since Gibson Mentioned this problem was a sort of problem that any software firewall will be a victim to, I assume this is probably the same vulnerability we discussed while back in this thread regarding those few seconds of boot up. Those Diamond computer folks must have found a way to exploit it. I am personally somehow disappointed by the way Gibson handled this, but then again I'm not sure what the circumstances were. Perhaps Gibson offered Zone Labs the same thing he offered Symantec and the rest of them, which was enough time to work towards fixing their problems. They didn't do anything and Gibson revealed the secret. May be Zone Lab did and is doing something about it and that's why Gibson kept quiet. I don't know what it is but I'll wait to hear the whole story before I make a judgment.
--
You can catch the Devil, but you can't hold him long.

reply to EmilioG

EmilioG you are right about the Trojan scanner/Firewall word choice. Thanks.
Good luck with the email to Diamond. I couldn't find any more references to Diamond Computer Systems.
I am also going to reserve judgement on ZA and Steve Gibson.
Enjoy:)
John

reply to CJ
Net7dsl - since Gibsons reply to EmilioG stated " *all* " software firewalls, I would take it that it would affect ZA Pro just as much as any other. If you haven't seen the thread that Wildcatboy pointed out here at DSLR, check it out, there are several exploitable weakpoints discussed there that all software firewalls would be vulnerable to. I kind of get the impression that the one being spoken of is a bit more sophisticated - in actually penetrating from the outside as a pure firewall cracker, not working from the inside out as was mostly discussed there. But that possibility was discussed with regard to NMAP and QUESO also.

cestepp - no, at this point in time without anything else to go on, it is not totally inappropriate to feel some loss of credibility toward Gibson. You might hold off on the execution until all the facts are in - he may actually be responding to an agreement with Zone Labs regarding release of the information, and it would appear that Diamond Computer Systems is 'bound' by a similar agreement of (temporary?) non-disclosure.

Like EmilioG, I've got an email in at both DCS and ZoneLabs asking for any information about it all. DCS says they normally respond to inquiries (I went thru the standard "contact us" message thing with them) within 48 hours.

I am a little surprised that I haven't heard back from ZoneLabs yet. The individual I sent the inquiry to is normally very responsive and quick about it! Somehow I have pictures of a new topic for discussion at todays staff meeting(s) - "Gentlemen, we have received at least 2 e-mails in 24 hours regarding...what are we going to say to these people?... Bill- put your neck out here first and tell me what you think..." that kind of thing.

wheelert - I've received, seen the tap-dancing that NetworkIce folks can do when asked about that tender subject. You're right, could be a similar situation at ZoneLabs.

I'd settle for either of 2 answers from Zone Labs:
1) Here's the problem and here is what/when we are going to do something about it, or
2) Here's the problem, there isn't anything we can do about it because of 'the way it works' - but here are some hints to help protect from this particular problem...

You know - I can't help but think right now: If Microsoft had gotten this kind of attention about each and every one of the bugs in Windows, it would be one hell of an operating system by now (if they also got fixed)! In a way, this and the LeakTest releases actually speak well for all of the software firewalls (well, BID excepted in my book): they are all such reliable products in the eyes of their users that just one or two problems immediately take on monumental importance. Actually, I think that's a good thing. (Whole lot better than having discussions that say 'well, the firewall only crashed twice today, so I'm happy with it' ).

reply to EmilioG
You say that he knew about the vulnerabilities for a year? Now I'm confused. Not once did I hear or see that he had contacted Symantec about it. I could be wrong on that. But if I'm not, then why did he contact ZoneLabs? Why not just reveal their shortcomings also?

I'm not trying to burn Steve at the stake, but I would like some answers as to his conduct.

Maybe sell-out is a bad word. But what else would you call it? Biased?

reply to EmilioG
This is really incomprehensible. With as many users as there are with ZA, me being just one of them, and if a known leak has existed for this long, not saying something well before this is a real travesty. That merely leaves all of us users wide open without even knowing it. I find this rather unsettling to put it mildly. I will be looking forward to continued reading on this thread, as I am sure there will be such reading and then some. Thanks for the post EmilioG
--
JKK

Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!

reply to EmilioG
Very interesting....makes me wonder if zonelabs will fix this, or can they even fix it? If Zonelabs can't fix the problem...does that mean that Steve G will still want Diamond to follow through with the intent of making the known exploit public? Somehow that does not sound like a good idea. It reminds me of a few weeks ago when my Zone Alarm Pro was not working, and or shut-down....and all hell was jamming my pc.
So I continue to run ZAP,BID and the Linky with no conflicts.
I can't wait to see how this plays out.
--
Misc DSLR creations from bf2

»www.geocities.com/handcannon_99/dwp.htm

I keep reading this term " Known Vulnerability " in your posts and I'm thinking to myself if this is really a known vulnerability then what is it? can anybody tell me what it is? Have you read any articles explaining what it is? Have you seen any discussion about it on any hacker site? if not then I think it is not really a known vulnerability thanks to Diamond and Gibson. Now as I mentioned before I don't know the circumstances and based on the limited amount of information that I have I'm kind of disappointed in Gibson but then again I'm neither judging him nor am I panicking based on what I know.
--
You can catch the Devil, but you can't hold him long.

Wildcatboy,
I think you may be mistaken about your above post stating that you keep reading the term "Known Vulnerability" in my posts. Thats OK...and you can see that I am responding to the above topic starter, and using "exploits"....No problem...I will tell you that I did have Zone Alarm Pro either stop, quit, shutdown, lock-up, or something of the sort. I had no idea that it was not working, until I re-installed one of my copies of Black ice, and it registered numerous attacks. I like Zone Alarm, and I have posted that which has taken place on one of my computers...also have been in contact with Zonelabs as to try and troubleshoot this one-time event. This event happened with Windows Me. I have had no other problems since that particular day.

--
Misc DSLR creations from bf2

»www.geocities.com/handcannon_99/dwp.htm

reply to CJ
Someone can correct me if my memory is faulty here, but I believe the timeline on the LeakTest stuff went in a similar fashion. Gibson discovered the weaknesses and informed the makers, they didn't respond in a 'timely fashion' and so he published. It may be that Zone Labs has better, smoother talkers and shows signs of cooperating. If letters like wheelert and I received from NetworkIce about their product indicate the responses of companies like Symantec and McAfee then I can fully understand why he blew the whistle on them. NetworkIce has kept a head-in-the-sand view of their major shortfall since the very beginning. I don't know what McAfee is doing about the problem, but it is to Symantec's credit that they immediately announced a program to fix the holes LeakTest identified: but not until after the results of LeakTest were released!

We don't have the full picture yet - and maybe won't until after Gibson or Diamond release their findings. To make a determination with the very little we have that anyone has been irresponsible is, well, irresponsible!:)

[text was edited by author 2000-12-27 22:44:38]

reply to EmilioG
Point well taken 2k. I was not aware that Steve Gibson had in fact notified Symantec & Network Ice, and that they did not take action in a timely manner.

So, does this mean we have to wait a year before we find out what the problem is?

What if the exploit is being taken advantage of as we speak? We wouldn't know because they won't tell us what to look for.

That is more irresponsible in my eyes.

reply to bf2
bf2, My post was not directed at you. If it appeared that way I apologize. It's just that your post was the last one and I simply replied to that as opposed to going to the top of the page. I used the word your as plural meaning all of the posts. Again I'm sorry if it appeared that I was directing my comment towards you. But to answer the last part of your comment, the issue here is not about misconfiguring ZA, it's about a vulnerability that will effect you even if you install and configure it properly. The fact that ZA didn't work on your computer for whatever reason is no indication that the program might be vulnerable. It has been working perfectly on probably millions of computers. Now there's probably a vulnerability that we don't know about, but what it is, remains to be seen. As for the Black Ice, well, they don't even believe they have a problem.
--
You can catch the Devil, but you can't hold him long.