dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
36179
share rss forum feed


EmilioG
Whats This?
Premium
join:2000-09-19
New York, NY

Zone Alarm security Hole-confirm from Steve Gibson

This is the E-mail reply I got from Steve Gibson regarding the security hole in zone alarm;

My E-mail to Steve Gibson of 12-22-00;

>Dear Steve Gibson; I read recently in your news group on Leaktest, that
>you know of a security hole in Zone Alarm but won't say for fear of
>hackers getting a hold of the information. What is your current position
>on this and is Zone Labs aware, are they doing anything to prevent a
>future problem? Your comments would be much appreciated. I thank you in
>advance.

Steve Gibsons Reply;

I helped to bring this to Zone Labs' attention, and they now have a dialog
open with the folks from Diamond Computer Systems who engineered this
exploit. I've told the Diamond folks that if Zone Labs chooses not to
repair this problem they should follow through with their intent of making
the exploit public. What other choice do they have?

However, for what it's worth, this is the sort of thing that *ANY* software
firewall would be victim to.

Best wishes for the New Year!
______________________________________________________________________
Steve.
>12 -24-00

Maybe an Email to Zone Lab's is next. Who is Diamond computer systems? Has anyone heard anything about this security problem in ZA?
--
Regards, Emilio
Support Amnesty International

[text was edited by author 2000-12-29 14:49:06]



2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
kudos:1

Well, that's about a straight an answer as we could hope for without disclosing the actual details. But then we've discussed many possible 'holes' in software firewalls running on Windows systems in several threads recently.

The fact that Gibson did not make this announcement at the same time that LeakTest results were released is no doubt another sign of his favoritism of ZoneAlarm. No secret for a very long time. Personally, I do see it as a dis-service to us all that he didn't announce it publicly earlier. Then the announcement would have read something like:
Problems:
A - every software firewall except ZoneAlarm
B - every software firewall except ZoneAlarm
C - every software firewall except ZoneAlarm
D - every software firewall includingZoneAlarm

But I'm also curious as to why this Diamond Computer Systems didn't come forward with the revelation also. Most curious that so many people are so reticent to reveal this secret ... that isn't so secret anymore!

Congrats, EmilioG, for bringing it out into the light with documentation for the backup.

[text was edited by author 2000-12-27 06:20:47]



EmilioG
Whats This?
Premium
join:2000-09-19
New York, NY

Yes, those are good questions; Why are these people so reticent? Why are they so reluctant to reveal this secret?
I just found it very strange that SG didn't find even one possible vulnerability in ZA. Nothing is perfect, and that is what he was making it sound like.

I have no personal vendetta towards' ZA or any particular firm loyalties towards any s/w, I look at all this very objectively and tried to research it scientifically. As you know, I now use ZA, albeit with some problems, and I do like it, I just want to know more.

I'll post any new findings as I discover them. 2K, do you have an address for this diamond company?
--
Regards, Emilio

Its failings notwithstanding, there is much to be said in favor of journalism
in that by giving us the opinion of the uneducated, it keeps us in touch with
the ignorance of the community.
-- Oscar Wilde



2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
kudos:1

I did a search for Diamond Computer Systems - found one outfit in Canada. Sent inquiry "is this you" to them. Their web page wasn't 'big business' impressive, but Steve Jobs started in a garage on borrowed money....;)



Ausnetwanderer

join:2000-11-03
Down Under
reply to 2kmaro


Firstly a big thankyou also for the info Emilio.
A search for Diamond Computer Systems revealed the following and I thought it relevant to post anything to do with this.
There are 2 listings found so far and this is more than likely the one that Steve Gibson is referring to, given they have their own firewall package called 'Trojan Defence Suite' and this site which I think is basically an ISP.

My comment is one of dissapointment for people who have read the good things about ZA and on the strength of that are using the product. That is not to say the program is no good any more and everyone go find something else.

The Leaktest release was about 3 weeks ago and no word / update / alert or anything from ZoneLabs in that time. How many are one the mail list? I know I am. How easy is it to send out an advice? It is easy when it's sales oriented.

A hole in ZoneAlarm had to be found sooner or later. The program is too popular and obviously is a thorn in the side of other firewall developers. Users can at least take heart that the hole was discovered and reported by Steve Gibson and not spread through the net within the hackers world.

Trying to Enjoy
John



net7dsl7

join:2000-04-10
San Francisco, CA

reply to EmilioG

Does this also affect the ZA Pro?

[text was edited by author 2000-12-27 07:25:51]



CJ

join:2000-07-18
USA
reply to 2kmaro

Maybe you can help me on this 2k,

I saw your reference to SG being very pro ZA. It just strikes me odd for one reason. If my memory serves me correctly, I remember him "ratting out" the other firewall programs in an instant, and telling what the vulnerabilities were.

Yet when ZA has one, he is hush,hush about it.
Don't get me wrong here, I myself am a supporter of ZA and have used it for quite sometime now.

If my observations are correct, then Steve Gibson has just lost all credibility with me. In my town, he would be called a sell-out.

If my observations are incorrect, then let me know.



wheelert$93
T L C
ExMod 2002
join:2000-06-01
Lynden, ON
reply to EmilioG

We really don't know what transpired when Steve Gibson did those tests. I do know the folks that make Black Ice sent me a holier than thou message back when I inquired about it's ability to stop unauthorized outgoing traffic. That may be what set that whole scenario up.
--
"Rome did not create a great empire by having meetings. They did it by killing all those who opposed them."



EmilioG
Whats This?
Premium
join:2000-09-19
New York, NY

reply to CJ

I don't know if Steve Gibsons' a sell-out. I do know that he waited a year before revealing the results of his leaktest to the public. He gave Symantec a year to get their act together, I don't know about the others'. He has been in contact with Zone labs' and Diamond CS, and if you read the Email, you know the rest, so far. Its' a tough position to be in, but the public has the right to know.
8 million user's could be "had".

ausnetwanderer; the company, Diamond Computer systems, they're out of Australia, in Perth I think, I found them this morning after 2K IM'd me about a company in Canada, so I double checked and found Diamond in Australia and Emailed them. I'm waiting for them to write back. I also wrote to Steve again to get his response to other questions. And
*BTW, The Diamond CS program is not a firewall, it's a trojan scanner. They don't have a firewall as far as I can tell.

I'll reserve judgement. I don't have all the facts' yet and may never have all the facts', but like I posted once, I question everything. ZA and ZA pro are still good products, but nothing is perfect. Thats' why there are always updates and upgrades, and for a free program, they're not doing too bad.

I'll post any news as it develops. EG

[text was edited by author 2000-12-27 12:34:14]



Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3

Since Gibson Mentioned this problem was a sort of problem that any software firewall will be a victim to, I assume this is probably the same vulnerability we discussed while back in this thread regarding those few seconds of boot up. Those Diamond computer folks must have found a way to exploit it. I am personally somehow disappointed by the way Gibson handled this, but then again I'm not sure what the circumstances were. Perhaps Gibson offered Zone Labs the same thing he offered Symantec and the rest of them, which was enough time to work towards fixing their problems. They didn't do anything and Gibson revealed the secret. May be Zone Lab did and is doing something about it and that's why Gibson kept quiet. I don't know what it is but I'll wait to hear the whole story before I make a judgment.
--
You can catch the Devil, but you can't hold him long.



Ausnetwanderer

join:2000-11-03
Down Under
reply to EmilioG


EmilioG you are right about the Trojan scanner/Firewall word choice. Thanks.
Good luck with the email to Diamond. I couldn't find any more references to Diamond Computer Systems.
I am also going to reserve judgement on ZA and Steve Gibson.
Enjoy:)
John



2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
kudos:1
reply to CJ

Net7dsl - since Gibsons reply to EmilioG stated " *all* " software firewalls, I would take it that it would affect ZA Pro just as much as any other. If you haven't seen the thread that Wildcatboy pointed out here at DSLR, check it out, there are several exploitable weakpoints discussed there that all software firewalls would be vulnerable to. I kind of get the impression that the one being spoken of is a bit more sophisticated - in actually penetrating from the outside as a pure firewall cracker, not working from the inside out as was mostly discussed there. But that possibility was discussed with regard to NMAP and QUESO also.

cestepp - no, at this point in time without anything else to go on, it is not totally inappropriate to feel some loss of credibility toward Gibson. You might hold off on the execution until all the facts are in - he may actually be responding to an agreement with Zone Labs regarding release of the information, and it would appear that Diamond Computer Systems is 'bound' by a similar agreement of (temporary?) non-disclosure.

Like EmilioG, I've got an email in at both DCS and ZoneLabs asking for any information about it all. DCS says they normally respond to inquiries (I went thru the standard "contact us" message thing with them) within 48 hours.

I am a little surprised that I haven't heard back from ZoneLabs yet. The individual I sent the inquiry to is normally very responsive and quick about it! Somehow I have pictures of a new topic for discussion at todays staff meeting(s) - "Gentlemen, we have received at least 2 e-mails in 24 hours regarding...what are we going to say to these people?... Bill- put your neck out here first and tell me what you think..." that kind of thing.

wheelert - I've received, seen the tap-dancing that NetworkIce folks can do when asked about that tender subject. You're right, could be a similar situation at ZoneLabs.

I'd settle for either of 2 answers from Zone Labs:
1) Here's the problem and here is what/when we are going to do something about it, or
2) Here's the problem, there isn't anything we can do about it because of 'the way it works' - but here are some hints to help protect from this particular problem...

You know - I can't help but think right now: If Microsoft had gotten this kind of attention about each and every one of the bugs in Windows, it would be one hell of an operating system by now (if they also got fixed)! In a way, this and the LeakTest releases actually speak well for all of the software firewalls (well, BID excepted in my book): they are all such reliable products in the eyes of their users that just one or two problems immediately take on monumental importance. Actually, I think that's a good thing. (Whole lot better than having discussions that say 'well, the firewall only crashed twice today, so I'm happy with it' ).



CJ

join:2000-07-18
USA
reply to EmilioG

You say that he knew about the vulnerabilities for a year? Now I'm confused. Not once did I hear or see that he had contacted Symantec about it. I could be wrong on that. But if I'm not, then why did he contact ZoneLabs? Why not just reveal their shortcomings also?

I'm not trying to burn Steve at the stake, but I would like some answers as to his conduct.

Maybe sell-out is a bad word. But what else would you call it? Biased?



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
reply to EmilioG

This is really incomprehensible. With as many users as there are with ZA, me being just one of them, and if a known leak has existed for this long, not saying something well before this is a real travesty. That merely leaves all of us users wide open without even knowing it. I find this rather unsettling to put it mildly. I will be looking forward to continued reading on this thread, as I am sure there will be such reading and then some. Thanks for the post EmilioG
--
JKK

Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!



bf2
Vincere Vel Mori
Premium
join:2000-05-29
Tampa Bay
reply to EmilioG

Very interesting....makes me wonder if zonelabs will fix this, or can they even fix it? If Zonelabs can't fix the problem...does that mean that Steve G will still want Diamond to follow through with the intent of making the known exploit public? Somehow that does not sound like a good idea. It reminds me of a few weeks ago when my Zone Alarm Pro was not working, and or shut-down....and all hell was jamming my pc.
So I continue to run ZAP,BID and the Linky with no conflicts.
I can't wait to see how this plays out.
--
Misc DSLR creations from bf2

»www.geocities.com/handcannon_99/dwp.htm



Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3


I keep reading this term " Known Vulnerability " in your posts and I'm thinking to myself if this is really a known vulnerability then what is it? can anybody tell me what it is? Have you read any articles explaining what it is? Have you seen any discussion about it on any hacker site? if not then I think it is not really a known vulnerability thanks to Diamond and Gibson. Now as I mentioned before I don't know the circumstances and based on the limited amount of information that I have I'm kind of disappointed in Gibson but then again I'm neither judging him nor am I panicking based on what I know.
--
You can catch the Devil, but you can't hold him long.



bf2
Vincere Vel Mori
Premium
join:2000-05-29
Tampa Bay

Wildcatboy,
I think you may be mistaken about your above post stating that you keep reading the term "Known Vulnerability" in my posts. Thats OK...and you can see that I am responding to the above topic starter, and using "exploits"....No problem...I will tell you that I did have Zone Alarm Pro either stop, quit, shutdown, lock-up, or something of the sort. I had no idea that it was not working, until I re-installed one of my copies of Black ice, and it registered numerous attacks. I like Zone Alarm, and I have posted that which has taken place on one of my computers...also have been in contact with Zonelabs as to try and troubleshoot this one-time event. This event happened with Windows Me. I have had no other problems since that particular day.

--
Misc DSLR creations from bf2

»www.geocities.com/handcannon_99/dwp.htm



2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
kudos:1

reply to CJ

Someone can correct me if my memory is faulty here, but I believe the timeline on the LeakTest stuff went in a similar fashion. Gibson discovered the weaknesses and informed the makers, they didn't respond in a 'timely fashion' and so he published. It may be that Zone Labs has better, smoother talkers and shows signs of cooperating. If letters like wheelert and I received from NetworkIce about their product indicate the responses of companies like Symantec and McAfee then I can fully understand why he blew the whistle on them. NetworkIce has kept a head-in-the-sand view of their major shortfall since the very beginning. I don't know what McAfee is doing about the problem, but it is to Symantec's credit that they immediately announced a program to fix the holes LeakTest identified: but not until after the results of LeakTest were released!

We don't have the full picture yet - and maybe won't until after Gibson or Diamond release their findings. To make a determination with the very little we have that anyone has been irresponsible is, well, irresponsible!:)

[text was edited by author 2000-12-27 22:44:38]



CJ

join:2000-07-18
USA
reply to EmilioG

Point well taken 2k. I was not aware that Steve Gibson had in fact notified Symantec & Network Ice, and that they did not take action in a timely manner.

So, does this mean we have to wait a year before we find out what the problem is?

What if the exploit is being taken advantage of as we speak? We wouldn't know because they won't tell us what to look for.

That is more irresponsible in my eyes.



Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3
reply to bf2

bf2, My post was not directed at you. If it appeared that way I apologize. It's just that your post was the last one and I simply replied to that as opposed to going to the top of the page. I used the word your as plural meaning all of the posts. Again I'm sorry if it appeared that I was directing my comment towards you. But to answer the last part of your comment, the issue here is not about misconfiguring ZA, it's about a vulnerability that will effect you even if you install and configure it properly. The fact that ZA didn't work on your computer for whatever reason is no indication that the program might be vulnerable. It has been working perfectly on probably millions of computers. Now there's probably a vulnerability that we don't know about, but what it is, remains to be seen. As for the Black Ice, well, they don't even believe they have a problem.
--
You can catch the Devil, but you can't hold him long.



bf2
Vincere Vel Mori
Premium
join:2000-05-29
Tampa Bay

wildcatboy,
No problem...no need to apologize to me. I have in a different kind of way, duplicated a close likeness of the "event" that happened to me a while back. I even used my digital camcorder to record the event. I will oneday get around to compressing the digital video (800MB) into a much smaller file size, so others can get a rough idea of what i am talking about...which is not the exact event that happened, but close enough to draw questions....no problem, and no offense taken.
--
Misc DSLR creations from bf2

»www.geocities.com/handcannon_99/dwp.htm



2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
kudos:1
reply to EmilioG

The Word From Diamond Computer Systems

As mentioned earlier, ausnetwanderer and EmilioG managed to track down the correct Diamond Computer Systems (DCS) people. I sent them an email and have received their response. Those are published (with minor editing of non-essential comments and personal names) below.

Before you read them, let me make a couple of points:
1) Yes, they did indeed discover a weakness.
2) This was only discovered 10 weeks ago, by them, not by Gibson.
3) They are trying to give ZoneLabs enough time to fix the problem (if it can be fixed) before making the facts known to the world.
4) The problem seems to be one that would allow a program (trojan/worm) on your system to slip out through the firewall, rather than letting something into your system from some outside attack.
5) If #4 is true, then quite simply, strong anti-virus protection methods might very well be that added level of security you need - if it is of this nature, then ZoneAlarm would not have 'failed' to protect you from an attack, but it would be made less effective because of a virus active on your computer. And how do we end up with a virus active on our computers, class? Yes - 90% or more of the time we invite them in!!

Ok, with all of that behind us, here are copies of the emails exchanged. BTW: Lets NOT cover DCS up with emails asking 'how, how, how' - doesn't sound like they're going to tell until they are ready, and perhaps agreements they have in place with ZoneLabs won't even let them.

-------
Initial E-Mail to DCS
---------

Gentlemen,
I have seen the name Diamond Computer Systems associated with the engineering of a method of penetrating the ZoneAlarm software firewall produced by Zone Labs. I understand the method is also exploitable against all or most other software firewalls. This statement was attributed to Mr. > Steve Gibson of the Gibson Research Center.

Can you confirm or deny that you are the organization referenced? If you are the source of this method of penetration, can you provide ANY information about its operation or what users can do to protect themselves from the weakness?

... I am a moderator at the DSLReports broadband support site (www.dslreports.com). ZoneAlarm is used by a very large number of individuals who frequent that web site and they are extremely interested in this development.

Thank you in advance for any assistance and information you can provide regarding this matter.

--------
Their Response (edited)
--------


Thanks for your email.

Yes, we can confirm that during standard anti-trojan testing on a machine that had ZoneAlarm on it, we have inadvertantly discovered a couple of vulnerabilities - not something we were looking for, but the vulnerabilities seemed to find us. We have been in contact with Zone Labs for over 10 weeks regarding these matters, and the only person outside of DiamondCS that is aware of these problems is Steve Gibson of GRC. Can I ask how you found out about these vulnerabilities?

The public will be informed shortly as to the nature of these vulnerabilities, and hopefully ZoneLabs will have a fix out by then. (We've given them over 10 weeks...)

Best regards,

--------
My Reply (edited)
--------

The information was provided by Steve Gibson to a regular visitor/member of DSLReports Security issues forum. You may visit (and are INVITED) the site at http://www.dslreports.com the specific discussion thread for this matter is at http://www.dslreports.com/forum/remark,288028;root=security,1;mode=flat

I do appreciate your quick response and any further information that you can provide that would not put you in jeopardy of any aggrements you have in place with either Steve Gibson or Zone Labs would be very much appreciated.

Thank You Again,



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy

I guess you kind of blew the lid off their cover by your question. Hope something is being done and that in this 10 week period that they have had, that they have been able to figure out a patch of some sort. All I can say is wow. How did they think they were still negotiating in secret. This world is too small what with the internet and lots of savvy users who won't just sit back and ask no questions. Well done with your letter to them, and the same with the post of their response. Thanks.
--
JKK

Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!



2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
kudos:1

I think Mr. Gibson may have a little explaining to do - did you notice the question "where did you get this from" or words to that effect!


GaryK
Premium
join:2000-08-29
Miami, FL

That jumped right out at me, 2k. Methinks Steve will have some explaining to do.

BTW, your diplomatic skills are considerable. You really know how to word an email in such a way that you cannot be ignored or fed BS. One of those thumbs-up votes is from me.

Thanks!
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
Trail Blazer was formerly known as tblazer



Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3
reply to 2kmaro

Good job 2kmaro, It confirmed what I've been suspecting for a while. Software firewalls have few major vulnerabilities, one being the reboot issue we discussed and the other is the effects that a virus or a Trojan can have on a firewall when it is already on the computer. For example a Trojan can shut down your firewall before getting out. This can be fixed to a certain degree by renaming your firewall file name unless the Trojan is smart enough to look for files with a certain size.

The other thing that made me feel a bit better about Gibson was the fact that he's known this only for about 10 weeks and if he gave Symantec about a year it would just be fair to give ZA a few weeks before the announcement. By the way I have a feeling that Gibson was looking for an excuse to get the word out, otherwise he wouldn't respond to Emilio the way he did. I guess he is getting tired of keeping the secret and looking bad as a result.

Well, thanks to you 2k, now I know this is almost a non-issue, since it is more about what a Trojan can do than it is about how safe ZA is. As you put it once 2kmaro, I can go back to sleep now.
--
You can catch the Devil, but you can't hold him long.


GaryK
Premium
join:2000-08-29
Miami, FL

said by Wildcatboy:
For example a Trojan can shut down your firewall before getting out.
My programming skills are perhaps a little rusty. But doesn't the Windows API offer a way for a running application to see if the request to terminate it was generated by the application itself and ignore it if it wasn't? If so, then that's the patch ZA and others are probably working on.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
Trail Blazer was formerly known as tblazer


2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
kudos:1

Basically you're thinking of the equivalent of the "On Close" event for a process. However, you can basically override that with the proper series of API calls from the other program (says basically, "I don't care what you are doing or how badly you want to live, die dammit, die!"). I'd have to dig way deep to see if that can be overridden (never had to before - if it needed killing that bad, I always let the thread die).

Having answered that to a small degree, now I get to put up another huge page plus post. More stuff from DiamondCS.



2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
kudos:1

reply to 2kmaro

Here we go - picks up where the last monster left off:

Alright - another long one with edited copies of emails received from DiamondCS. Here is the short of it all:

* Full disclosure is coming soon, one way or the other!
* Although the initial alert was made by DiamondCS to ZoneLabs 10 weeks ago, Steve Gibson and the President of ZoneLabs didn't get involved with it until about a week or 10 days ago.
* The vulnerabilities appear to be similar to what Gibson achieved with LeakTest against the other software firewalls. Same general idea - get through it from the inside out!
* There are no formal, legally binding agreements between ZoneLabs, DiamondCS and/or Steve Gibson - this is all being handled by "gentleman's agreements".

Where I've edited below, it is indicated with italic text, if I add any side comments, they will be underscored, and where I think a point needs to be emphasized, I've added bold text. Any editing I've done has not changed the meaning, but has been done to keep names and similar information private where they are not already known (as with Steve Gibson).

From DiamondCS
Thanks *,
I just had a quick read through that thread on your forum, very interesting. It is clear that there is a bit of confusion, which is fair enough when nobody other than myself and name deleted / DiamondCS, Steve Gibson / GRC, and Zone Labs knows about it. I'm happy to answer any questions you have, but I can't go into the actual exploit details just yet, out of courtesy to Zone Labs. We follow CERT vulnerability disclosure-policy, although we often allow more than 45 days for fixes (hey, we know how busy they are . We have not made anything public yet, for the sake and benefit of the public - Zone Labs haven't fixed the problem yet, so do you want the exploit released before the fix, whereby trojans will start exploiting these techniques? It is now ten weeks since Zone Labs were notified of the first of two vulnerabilities, and pending one final email from them, that vulnerability will be disclosed immediately to the public, with a harmless demonstration executable. It is unfortunate that Zone Labs have not attempted to engineer a fix yet, as we have offered them solutions only to have them turned down for a matter of 'convenience over security', but that is their choice and now that they have had fair time and a fair chance to fix the problem, it's over to the public to let them decide.

The second exploit made itself apparent to name deleted / DiamondCS just a few days ago, and both Zone Labs and Steve Gibson have been made aware of this. This one was very simple, and it found name deleted - name deleted didn't find it. Within a matter of minutes we then had a batch file capable of bringing down both ZoneAlarm and ZoneAlarm Pro. We've been in close liason with Steve over the last week or so regarding the situation and he has been very helpful to both Zone Labs and us at DiamondCS, so hopefully Zone Labs will get their act into gear and attempt to engineer a fix - but so far, nothing.

For the record, we are a young company established in 1986 originally building hardware systems, but since 1997 have been developing anti-trojan, pro-security software - all of it free, except for just two programs. We are based in Perth, Western Australia, and our homepage is
http://www.diamondcs.com.au
We don't make firewall software and we are in no way in competition with Zone Labs. We don't go looking for vulnerabilities, but during anti-trojan testing we often come across vulnerabilities in other software, as was the case with both of the two ZoneAlarm/ZA Pro vulnerabilities. But when we discover vulnerabilities, it is our responsibility to report them to the vendor to have them fixed. Some vulnerability-hunters disclose such things to the public within a week of the discovery, but they seem to be the ones who have no genuine interest in securing Windows, just an interest in making a name for themselves. We don't hunt vulnerabilities, and we make our name through our software, not vulnerability disclosure, but these are vulnerabilities that the public must be made aware of, and we will certainly do that over the coming weeks. I hope that explains the situation a bit more.

Best regards,
DiamondCS

One more point for the record ...
There are absolutely no contracts, written agreements or signed documents of ANY kind between Zone Labs and DiamondCS, or DiamondCS and Steve Gibson / GRC. Steve Gibson is assisting in 'moderating' the situation and helping both Zone Labs and us - we called him in when Zone Labs responded with an email along the lines of "we won't be fixing it due to a matter of convenience over security". For some strange reason, now that Steve is watching from the side Zone Labs have lifted their heads and are taking notice of the problems.

Best regards,
DiamondCS

President of ZoneLabs became directly involved (by carbon-copied email) when Steve Gibson came into the picture early last week. So far I have not received any email from him, but I am still in correspondance with another senior ZoneLabs person.

From 2kmaro
Can you answer one question without compromising your position? Is the weakness as I'm guessing on the outbound side (from within a user's computer) or from the outside in as from an attacking system? I'll understand if you cannot provide the answer to this.

From DiamondCS
Both vulnerabilities are local, not remote attacks, and they both demonstrate how a trojan could get out to the Internet by 'circumventing' ZA/ZAPro - similar to what LeakTest is demonstrating, but LeakTest typically gets stopped by ZoneAlarm/ZAPro.

Best regards,

[text was edited by author 2000-12-28 02:08:41]



Ausnetwanderer

join:2000-11-03
Down Under
reply to 2kmaro

I have just visited Gibson Research and found a reference to the Leaktest release here in the "newsgroup" on Leaktest. Navigating this newsgroup is a bit of a nightmare but I suggest that there is an enormous amount of info there and maybe checked out by someone with more experience than I with newsgroups. Outlook Express had 600+ listings in groups with over 6000 not downloaded.
There was a program written and documented there called "nozone" which was able to breach ZA. In the interests of security this thread was removed from the newsgroup. Information about it's removal is in the ZoneAlarm posts.
Maybe the time has come for ZoneLabs to come out of the closet on this. The cat is already out of the bag.
Enjoy
John