2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs:  
| reply to 2kmaro
Zone Labs President Responds!
In the following E-Mail, it may help to know that Gregor Freund is the President and Founder of Zone Labs and Conrad Herrmann is the Chief Technology Officer for Zone Labs. Information about them may be found at http://www.zonelabs.com/management.htm
--------------
E-Mail from DiamondCS
Due to recent responses from Zone Labs and then Steve, both vulnerabilities will be fully disclosed to the public in approximately 24 hours from the time of this email - we're just waiting upon confirmation from Zone Labs Gregory Freund & Frederick Felman that their latest email to us from Conrad Hermann is their official stance. All will be revealed tomorrow, but at this stage it appears Zone Labs won't be fixing either of the vulnerabilities - Steve isn't impressed, neither are we.
Best regards,
DiamondCS
end
------------
Ok, with that in front of us, here is the email that I received from Gregor Freund:
-------------
E-Mail from Gregor Freund, President of Zone Labs
Thanks you for this and your other message. I appreciate the opportunity to address your concerns and apologize for the delay getting back to you - I just came back from a vacation.
Up front: No security is absolute and one hundred percent. This is true for both cyber security as well as the "real world". You can put seat belts in a car, throw in air bags and crush zones and you will still have accidents that you just can't survive. The same principle is true for house or car alarms. Security measures are always a balance between protection, convenience, cost etc. For example I fly small airplanes who have 6-point seat belts which are much better then anything you would find in a car. The reason you don't find them there is that they are inconvenient to put on and restrict your movement so most drivers just wouldn't use them and end up being less secure instead of more. Every security vendor is selling tools to reduce your vulnerability, not to completely eliminate it.
Having said this we set our standard for appropriate security very high. None of the "generic" attacks to break through ZoneAlarm have ever succeeded and believe me, people have tried. In order to compromise a protected system you would have to either break through the integrated firewall or the MailSafe feature in order to run a malicious application on a victim's PC. For the sake of argument let's assume that is possible. If that malicious application then tries to communicate over the Internet (for example to steal your confidential data) we can and will stop it.
That leaves the possibility to attack the ZoneAlarm program itself. We have seen some lab attempts to do this but nothing in the "wild". Of course any of our competitors are subject to the same potential vulnerability. With version 2.1.44 we have changed the software so that even most of those attacks will fail. You still can unload the ZoneAlarm program (there is nothing under Windows that can stop this) but the underlying service will continue to enforce your security settings.
We are currently testing a new version that further improves the security margin. That version will be available towards the end of January. The goal is that ZoneAlarm can not be sabotaged provided that you
- Run on a semi-secure version of Windows (NT, 2000 or Whistler)
- Don't run in administrative mode
- Use the password feature
Under Windows 95/98/ME those margins will be a bit narrower. Please understand that we need the appropriate time to test the new code. Rushing out some pseudo-fix without sufficient quality assurance will have the opposite effect - users would run into all kinds of troubles and might eventually uninstall ZoneAlarm - not exactly an improvement of their online security.
You should also note that any of the potential attacks in this context would succeed with conventional firewalls such as CheckPoint or SonicWall. These products don't have any application-level protection at all and for example they all have to allow outgoing traffic on port 80.
We are extremely proud that we help eight million users to significantly improve their online security and have protected hundreds of thousands of them from serious harm. We take the resulting obligation very seriously and will do everything in our power to continuously improve our products in order to justify the trust of our users.
Best Regards,
Gregor Freund
President, Zone Labs, Inc.
end
-----------
With all of that I'm not quite sure of what to say to Zone Labs. We all know that no product is 100% anything. We also should know by now that in the Windows family, the home user software is the least secure.
The potential of a new virus with smarter technology has also been discussed here in the Security forum of DSLR. These risks would appear to apply equally to all software firewalls. Our best defense against this 'attack from within' will be to make sure that our Anti-Virus and anti-trojan efforts are always kept at a high, up-to-date level.
The most disappointing thing to me at this point is that while other software firewall vendors (Symantec most notable) responded to the LeakTest challenge almost immediately (with no fixes released yet that I know of), Zone Labs appears to feel this problem does not warrant their immediate attention.
I'm sorry, but in 20 years of building software to use in things like automated air traffic control systems, weather radar systems and general 'run of the mill' business applications my philosophy has always been that if you have a problem in the basic function of a product you fix it! The basic function of a software firewall is to stop unauthorized passage through that firewall. Am I missing something here?
In defense of Zone Labs, I could say (and should say) that as long as no malicious program gets on your system then there isn't a problem. That pretty much puts them all back in the same arena, perhaps still giving basic ZoneAlarm the edge by virtue of price and ease of use.
Will the revisions to Norton Personal Firewall, Sygate Personal Firewall and others like them be more secure than Zone Alarm - I cannot say. At least they will have made an improvement to themselves. Me - well, I'm headed down to BestBuy very shortly to start learning how to set up a router right!
In parting, I'll post my reply email to DiamondCS for you all to read:
----------
My Response to DiamondCS
Thank you for this update. That is very disappointing. Steve isn't impressed, you aren't impressed and I most certainly am not either. This seems to be a case of 'we have all these millions of users', we've got them hooked, now we get to leave them with an incomplete product. Perhaps Gregor and group have been taking program design lessons from the Microsoft School of Program (non)Design!
From what I have deduced from your comments and discussions with others, it would appear that a strong defense against this weakness will be a high-quality anti-virus application and awareness of good anti-virus procedures. This still leaves the risk of a new virus in place. I will be adding a router to my home system to increase the security level to some degree, and now will also take a look at some of those free tools you mentioned are available from DiamondCS, along with your other products to see which may have value in this area.
And, of course, I will give consideration to going with one of Zone Labs competitors once they have plugged the holes found with Steve's LeakTest. A sad state of affairs for such an otherwise outstanding product to have come to.
I would appreciate notification of where to read the announcement and obtain a copy of the test executable when these are available.
Thank You for all of your kind assistance these last three days.
end
---------
And to end it all - my reply to Mr. Freund
My reply to G.Freund
Thank you for your response. At this point I'm not really sure of what to say about it all. I do know that many people are taking this even more seriously than the results of Steve Gibson's LeakTest. The perception of most is that you have a discovered vulnerability and are not doing anything about it. Somehow you are going to have to overcome that perception.
You mention the 8 million users that have downloaded ZoneAlarm. Well, I feel like I've recommended it to about half of those numbers, and to each that I've recommended it to I feel some responsibility for any weakness it might have. MOST of those 8 million users are not using a secure OS such as NT, 2000 or Whistler. That is reality. Most of them are on various flavors of Windows as 98, 98SE, and ME. There are a great number of these users who are living on fixed incomes or are students and the added burden of coming up with another $100 or $150 to put a router on a single system is an almost unreasonable expectation for those. Those that are educated about security enough to realize the need for it in these categories are depending heavily on their software firewall to provide security.
It would appear that the only patch for this problem at this time for non-secure versions of Windows would be strong anti-virus software, kept up to date and good anti-virus operating habits? Am I correct in this assumption?
Also, you mentioned that even in shutting down ZoneAlarm that the service would continue to run -- is that a true statement if the user is operating with Windows 98/98SE/ME? I would presume not given the way that those operating systems provide the equivalent of Administrator priviledge to all users.
The part that makes all of this difficult for me to accept as presented is that I have been a programmer for most of the past 20 years. I have developed software still in use for automated air traffic control systems, weather radar systems, along with numerous business applications. It has always been my philosophy that if there was a fault in a basic function of a program, that fault should be fixed, period. It doesn't appear at this point that Zone Labs operates under that philosophy. I interpret the basic function of a software firewall to be to prevent unauthorized passage of traffic thru the firewall. Here we have a known potential for a breach, DiamondCS has indicated that they have provided solutions to Zone Labs and yet you state that in the 10 weeks since notification that Zone Labs has maintained a position of 'no, we aren't changing right now'. That is a tough piece of meat for me to chew right now.
Maybe I'm looking at all of this too hard and maybe from the wrong angle, but this is the way I see it at this point in time. I realize the risk may be very small, but it is a known risk that others have said there is a remedy for. Doesn't prudence dictate applying the remedy?
You may want to take a look at the comments provided on this subject over the past 2 or 3 days at DSLReports Security forum. The site address is http://www.dslreports.com and the discussion thread is at http://www.dslreports.com/forum/remark,288028;root=security,1;mode=flat;start=0
As you may recall, my nickname at the site is 2kmaro.
Thank you for taking the time to once again respond to me personally. Please give continued, strong consideration of addressing this issue with a software change at the earliest possible moment.
end
-------
Kirk Out.
--
The only virus on my computer is Windows. |
|
Anon | 2kmaro, you've done an outstanding job of trying to get ZoneLabs to take complete responsibility for both their actions and their inactions. Although I don't use ZA, having chosen another route long ago, I appreciate your efforts on behalf of all of us who are security conscious. In almost 15 years of network implementation, management and architecture I have rarely encountered anyone as passionate about security as you have proven yourself to be. Keep up the good work!
Erik
--
Never attribute to malice that which can be explained as ignorance. |
|
DGDTrathole
join:2000-05-07
Newmarket, NH
| reply to 2kmaro
Mr. Freund is incorrect when saying:
- Run on a semi-secure version of Windows (NT, 2000 or Whistler)
I have documented a problem to them with their driver
vsdatant.sys on W2K...they responded they knew about
it and were working on it...this was in November and
they are still at version 2.1.44...NO FIX YET...ALSO
I have installed V2.1.44 on Whistler Personal AND Whistler
Professional and the driver will crash BOTH OS'es...it's
a great product I love it have been using it for a while
BUT have switched to Norton Personal Firewall as it does
NOT experience the same problems ZoneAlarm does on
W2K/Whistler.... |
|
2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs: | I haven't used Whistler, but ZA 2.1.44 works with no problems under W2K with SP1 installed for me. |
|
rtoday
join:2000-11-05
California | Golly, I hope someone does a summary of this thread. It seems to have taken on a life of its own!  |
|
2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs:
| Thread Summary
To a large degree the summary is here:
A 1-Page Summary
Bottom Line: ZoneAlarm (and all software firewalls) have now had new holes revealed in them. They are small holes if other precautions (strong anti-virus use mainly) are taken. Additionally, providing a non-standard location for installing ZoneAlarm can help with one hole, plus DiamondCS has provided a patch for the other. Zone Labs is more or less ignoring this problem for the time being, so griping to them seems in order and in the meantime, do the best you can with what you have.
Small Print Below the Bottom Line: The root source of the problems is the operating system's inherent weakness - if you are using Windows 9x/ME, then no software firewall product can ever be totally bullet-proof. |
|
rtoday
join:2000-11-05
California | Thanks from all of us in the gallery, 2K! This thread is a motivator and shaker. |
|
DGDTrathole
join:2000-05-07
Newmarket, NH
| reply to 2kmaro
Re: Zone Labs President Responds!
use a dial up connection then kill your connection and try doing a re-connect...!!! DOESN'T WORK...ocasionally crashes the OS...can send you the documatation including crash dump stuff I analyzed/sent to ZoneAlarms...
[text was edited by author 2001-01-04 14:54:52] |
|
2kmaro
Think
Premium,ExMod 1 BC
join:2000-07-11
ColossalCave
clubs:
| Not to be a put down, but I'd rather have it crash the system than to open a hole in the firewall. You did well to notify Zone Labs - hopefully they didn't just put that one in the same pile with the ones we're speaking of here!
Just one question: when it does crash, what does the error window indicate was the source program for the problem? Just trying to verify that it is part of ZA and not of the dial up software or Windows itself. |
|
Rocktagon
Slightly Bent
Premium
join:2000-11-04
Chattaroy, WA
clubs:
| reply to rtoday
Re: Thread Summary
said by rtoday:
Thanks from all of us in the gallery, 2K! This thread is a motivator and shaker.
Actually Trail Blazer created the webpage that the summary link takes you to.
2kmaro is to be thanked for all the great work but let us not forget Trail Blazer for the work on that webpage and EmileoG for starting the whole thing!
DSL Reports has a great bunch of members!
--
Quest for Knowledge |
|
rtoday
join:2000-11-05
California |  Of course you're right, Scooter. Emilio and TB are certainly to be thanked for their fantastic contributions as as well! Wasn't meaning to be exclusionary at all. |
|
GaryK7
Premium
join:2000-08-29
Miami, FL
clubs:
 ·Atlantic Broadband
| reply to Rocktagon
Yes, I did create the website. But this has really been a collaborative effort. Between Emilio's ability to find us useful information, and 2k's excellent skills at both the technical stuff and making it all sound simple, and my skills as a web developer, we have all managed to help each other.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
---
Angry at ZoneAlarm? Complain about it! |
|
Rocktagon
Slightly Bent
Premium
join:2000-11-04
Chattaroy, WA
clubs:
| As I said:
DSL Reports has a great bunch of members!
I was just making sure the summary of this thread link was credited toward your web page.
Any news on the "this weekend" comment you made earlier?
--
Quest for Knowledge |
|
CyberStretch
join:2000-11-23
Worcester, MA
|  2kmaro,
...DiamondCS has provided a patch for the other
Since Emilio and yourself already have a rapport with DiamondCS, have any of you requested this patch or agreed to beta test it to ensure it closes the security hole?
If not, would one of you be willing to contact them and request it?
If so, would it be possible to post it so others can benefit from the additional security?
--
And now, back to your regularly scheduled thread already in progress... |
|
GaryK7
Premium
join:2000-08-29
Miami, FL
clubs:
·Atlantic Broadband
| Hi. Many of us here have tested the patch. It appears to work fine. You can find it here.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
---
Angry at ZoneAlarm? Complain about it! |
|
Rocktagon
Slightly Bent
Premium
join:2000-11-04
Chattaroy, WA
clubs:
| reply to CyberStretch
Click on the link on TrailBlazers post and his webpage has a link to the patch on it.
I personally have applied it and retested my system against the batch file DiamondCS released and it did not shut down ZA.2kmaro has posted these results in his patch post.
--
Quest for Knowledge |
|
CyberStretch
join:2000-11-23
Worcester, MA
| Thanks for the responses. 2k IM'd me and gave me the link, coz I was too lazy to check here!  (Actually, I was doing my routine check/responding to other threads.)
I will try it out and see what happens.
--
And now, back to your regularly scheduled thread already in progress... |
|
