jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
|  ZoneAlarm device driver vulnerability
*This hole is can NOT be remotely exploited. Sleep well.*
»www.securityfocus.com/archive/1/331940
quote:
The driver installed with ZoneAlarm is vulnerable, and can be exploited in cause of that attacker can gain full system control (ring0 privileges). By sending properly formatted message to the ZoneAlarm Device Driver (VSDATANT - TrueVector Device Driver) you can cause an device driver memory overwrite.
Is there patch available or coming up?
--
My computer security & privacy related homepage
»www.markusjansson.net
[text was edited by author 2003-08-06 15:11:29] |
|
Phoenix__1
join:2003-07-17
Holyoke, MA | Well this is no good... |
|
lawrence171
Evilly Yours - Evilness
join:2001-12-24
Canada
| reply to jansson_mark
Greetings,
I believe ZoneLabs will refuse to fix this for their "free" version of the firewall. They should fix this in the paid version ASAP.
If you're users of ZoneAlarm, may I recommend Kerio PF? At least, they fix stuff in Kerio PF (even though its free), unlike ZoneLabs.
--
By using my computer, I'm also helping to find a cure for Cancer... Who says technologies isn't good? However, the idea of distributed computing did cause the IT crash in da world... |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| said by lawrence171  :
I believe ZoneLabs will refuse to fix this for their "free" version of the firewall.
There speaks a cynic. What evidence do you have for this assertion?
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
Skipdawg
The Original
Premium,ExMod 2001-03
join:2001-04-19
The Void | reply to jansson_mark
Thanks for the heads up on this.
--
Who,what,where,when & Why? |
|
vice8686
join:2000-10-13
Lancaster, CA | reply to jansson_mark
Gosh, I guess I better install an alternative until this get's fixed. Thanks for the heads up Markus:) |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
| Unless your letting tons of trojans, viruses, and malware in general on your system it shouldn't be an issue.
[text was edited by author 2003-08-06 13:48:16] |
|
mvdu
Premium
join:2003-07-28
Collegeville, PA | reply to jansson_mark
I'll keep this in mind. I ruled out Outpost, but that doesn't mean I can't look at what's out there. How many other people think Kerio would be a good alternative? |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to jansson_mark
Boy... do all of these people switch OS' every time there's a vulnerability for Windows that's not yet patched? Oh... I guess not.. since they are using ZA in the first place.
Point being: Vulnerability just now announced. Give it some time; There are NO known exploits of it in the wild.. and even if there were, normal safe practices (not executing unknown programs, patching the OS) should protect you until there is a patch. And don't listen to the cynics - of COURSE Zone Labs will patch this, in the free version, too. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| reply to mvdu
I don't recommend rule based firewalls to people who are not patient enough to learn how to use them correctly, which means learning quite a bit about how tcp/ip protocols work.
I run Kerio, and it has a very steep learning curve. However offers the chance for a more complex configuration compared to ZA Pro. However not knowing what your doing can leave your configuration very loose which would be worse than if you were just running an application based firewall like ZA.
We have a forum here that can help, but leaving a program for one exploit which might not ever be exploited on your computer is acting a bit rash. Do you also know what to expect from the other program?
»Kerio - Tiny Support
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
mvdu
Premium
join:2003-07-28
Collegeville, PA | No, I'm not changing yet - just looking. In fact, Kerio might not be for me. |
|
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL
| reply to jansson_mark
I can now chime in on this one. The official response I just received.
"Zone Labs response to Device Driver Attack
OVERVIEW: This is a proof-of-concept that represents relatively low risk to Zone Labs technology users. It is a “secondary” exploit that requires physical access to a machine or circumvention of other security measures included in Zone Labs consumer and enterprise products to exploit. A fix will be released that addresses the issues detailed as soon as possible.
EXPLOIT: The demonstration code written by vulnerability researcher "Lord YuP" is a proof-of-concept that describes a potential attack against Zone Labs technology. The sample provided was intentionally incomplete, to prevent malicious hackers from using it. Zone Labs wishes to thank Lord YuP for his responsibility in exploring this issue and thereby making our products safer for all users.
RISK: We believe that the immediate risk to users from this exploit is low, for several reasons: this is a secondary attack, not a primary vulnerability created or allowed by our product. Successful exploitation of this vulnerability would require bypassing several other layers of protection in our products, including the stealth firewall and/or MailSafe email protection.
Please note that since Lord YuP demonstrated responsibility and courtesy to others by not publishing complete source code, there is no workable demonstration code for hackers to copy. Furthermore, to our knowledge, there are no examples of malicious software exploiting this vulnerability.
SOLUTION: Nevertheless, security for our users is our first concern, and we take advice of this kind seriously. We will be updating our products to address this issue by strengthening protection for our device driver and will make these updates available as soon as possible.
Registered users who have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus, or ZoneAlarm Pro are informed by the software automatically whenever a new software update is released. Zone Labs will provide guidance to Integrity administrators regarding updating their client software.
CONTACT: Zone Labs customers who are concerned about the proof-of-concept Device Driver Attack or have additional technical questions may reach our Technical Support group at: »www.zonelabs.com/store/content/s···port.jsp "
It seems that there will be more to be added to this at a later time. The statement above was released shall we say prematurely. But since everyone has already seen it - the cat is out of the bag so to speak - so I'm not going to delete it now.
--
Test Your Security
Team Z Member
Cable Modem Diagnostics
InsightBB 3000/384 XP PRO
[text was edited by author 2003-08-06 16:27:09] |
|
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL
| reply to lawrence171
I think one should stop trolling and look at facts before they speak. But what do I know. Kerio PF and many other products are just as vulnerable to many proof of concepts that are out there. But no one seems to want to test the other products - considering all the glory is in bashing Zonelabs products do to popularity. Very similar to how most only spend time trying to create or find exploits within Windows instead of Linux or the MAC. It's not so much that these OS can't be exploited - it's just you don't get the best collateral damage or press coverage going after those OS.
--
Test Your Security
Team Z Member
Cable Modem Diagnostics
InsightBB 3000/384 XP PRO
[text was edited by author 2003-08-06 14:43:22] |
|
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL | reply to BlitzenZeus
Sorry I'm answering these as I read them - not trying to up my post count!!
But a voice of reason I can agree with!! |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | reply to IGGY
Good to read Iggy. I, for one, didn't believe that ZoneLabs would not correct any vulnerability in their firewall.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
Marilla
I Am My Own Arbiter
Premium
join:2002-12-06
Belpre, OH
| reply to IGGY
Thank you, IGGY, for helping to avert the next "The Sky is Falling" episode here. hehe. Always a good thing to go right to the source, eh?
And thanks, MARKUS!!! (Edit: Why did I think John2g posted it????), for posting about it in the first place.. I, for one, do NOT have ZA set to automatically check for updates.. mostly I rely on posts here to alert me to when things may be coming up!
[text was edited by author 2003-08-06 14:45:07]
[text was edited by author 2003-08-06 15:01:39] |
|
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL | reply to John2g
Some times they can be stubborn or have a different view point than the press and others. Most of the time I tend agree with them. But I can tell you that from my personal point of view they take there responsibility to users seriously. |
|
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL
| reply to Marilla
I don't do auto updates either. As a matter of fact I had this exact discussion in person with Corey from Zonelabs a few weeks back or was it a week ago (23rd of last month if my memory serves me correctly ). I personally feel that auto updating opens a user up to exploit. A minimal chance of exploit - but a chance all the same. I prefer manual updates for reasons I've stated before. And recently mentioned here
»Re: InsightBB Software Update
I do hit the check for updates button from time to time - just to make sure I didn't miss a memo.:D
"for helping to avert the next "The Sky is Falling" episode here"
I'm sure others will chime in about how the world will now end and how this product is pure crap even after reading this thread. They'll find fault with the company response etc. But that is the good part of this forum - although sometimes frustrating. You get to see many different viewpoints on a subject.
--
Test Your Security Team Z Member Cable Modem Diagnostics InsightBB 3000/384 XP PRO |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| reply to IGGY
said by IGGY :
But no one seems to want to test the other products - considering all the glory is in bashing Zonelabs products do to popularity.
I agree totally! 
ZoneAlarm and ZoneAlarm Pro are just so damm GOOD, easy to use, and popular, that people want to target them. There is no glory bashing some terrible firewall.
--
My computer security & privacy related homepage »www.markusjansson.net |
|
Skipdawg
The Original
Premium,ExMod 2001-03
join:2001-04-19
The Void
 ·surpasshosting
| reply to IGGY
Hay IGGY quit try to up your post count lol  Just could not resist. hehehehe
Also if you are behind a Hardware firewall you will have a little less to worry about.
From what I have read so far this is a low level problem but very worth keeping an eye on.
And as has been pointed out there are options
--
Who,what,where,when & Why? |
|
