[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20051001213051.3B9F1845@lists.grok.org.uk>
Date: Sun, 2 Oct 2005 03:00:50 +0530
From: "Debasis Mohanty" <mail@...kingspirits.com>
To: "'Zone Labs Security Team'" <security@...elabs.com>,
<bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: Different Claims by ZoneLabs on the "Bypassing
PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue
Note:
This respose is especially towards Zone Labs Advisory on "Bypassing
PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue.
Hi,
In your advisory
(http://download.zonelabs.com/bin/free/securityAlert/35.html) regarding this
issue, you have mentioned that only the Free Version of ZA is vulnerable and
ZA Pro is in the un-affected list. Without downplaying your advisory on this
issue, I want to confirm that I have tested this for ZA Pro 3.7.159 and
found vulnerable. Although the current version (6.0) is not vulnerable.
IMHO It will be a big mistake to conscider all versions of Zone Alarm Pro is
un-affected. ZoneLabs advisory on this is only valid for the current version
(6.0) of ZA Pro which I have tested and found it to be unaffected.
There are many who uses previous versions of ZA Pro (3x, 4x, 5x) and the
Zone Labs advisory seems to be covering the issue by saying that ZA Pro is
un-affected (**subjective statement**). I am not making any accusition, it
might be a mistake but defenitely needs to be addressed in the advisory. I
can keep silent on this issue and so as you but then it is very important
that the users of previous version must know that they are prone to such
attacks.
Besides this, I just came across the news @ news.com where as per the news
Zone Labs have given a different statement -
http://news.com.com/Malicious+code+could+trick+ZoneAlarm+firewall/2100-1002_
3-5886488.html
<news @ news.com>
The issue affects the popular free ZoneAlarm firewall and default
installations of version 5.5 and earlier of the paid product, maker Zone
Labs said in a security advisory on Thursday. Default installations of the
Check Point Integrity Client are also affected, but the paid ZoneAlarm 6.0
products, released in July, are not, Zone Labs said.
Click on the above link to read more...
</news @ news.com>
Well, the statement given to news.com by Zone Labs seems to be contradicting
your own advisory. As per the statement to news.com ->
The affected versions are :
free ZoneAlarm firewall and
default installations of version 5.5 and
earlier of the paid product
Default installations of the Check Point Integrity Client are also affected
This statement contradicts the advisory released by you....I can see a huge
gap between the statement and advisory....
Request you to clarify and update the advisory if there is a mistake. Incase
you require more info from me then feel free to mail.
Thanks & Regds...
Tr0y (aka Debasis Mohanty)
www.hackingspirits.com
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Zone Labs
Security Team
Sent: Friday, September 30, 2005 5:13 AM
To: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Zone Labs response to "Bypassing PersonalFirewall
(Zone Alarm Pro) Using DDE-IPC"
Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) Using
DDE-IPC"
Overview:
Debasis Mohanty published a notice about a potential security issue with
personal firewalls to several security email lists on
September 28th, 2005. Zone Labs has investigated his claims
and has determined that current versions of Zone Labs and Check Point
end-point security products are not vulnerable.
Description:
The proof-of-concept code published uses the Windows API function
ShellExecute() to launch a trusted program that is used to access the
network on behalf of the untrusted program, thereby accessing the network
without warning from the firewall.
Impact:
If successfully exploited, a malicious program may be able to
access the network via a trusted program. The ability to
access the network would be limited to the functionality of the trusted
program.
Unaffected Products:
ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
and ZoneAlarm Security Suite version 6.0 or later automatically
protect against this attack in the default configuration.
ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
and ZoneAlarm Security Suite version 5.5 are protected against
this attack by enabling the "Advanced Program Control" feature.
Check Point Integrity client versions 6.0 and 5.5 are protected
against this attack by enabling the "Advanced Program Control" feature.
Affected Products:
ZoneAlarm free versions lack the "Advanced Program Control"
feature and are therefore unable to prevent this bypass technique.
Recommended Actions:
Subscribers should upgrade to the latest version of their
ZoneAlarm product or enable the "Advanced Program Control" feature.
Related Resources:
Zone Labs Security Services http://www.zonelabs.com/security
Contact:
Zone Labs customers who are concerned about this vulnerability or
have additional technical questions may reach our Technical Support
group at: http://www.zonelabs.com/support/.
To report security issues with Zone Labs products contact
security@...elabs.com. Note that any other matters sent to this
email address will not receive a response.
Disclaimer:
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information. Zone Labs and Zone Labs
products, are registered trademarks of Zone Labs LLC. and/or
affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in
this document are the sole property of their respective
companies/owners.
Copyright: (c)2005 Zone Labs LLC All rights reserved. Zone Labs,
TrueVector, ZoneAlarm, and Cooperative Enforcement are registered
trademarks of Zone Labs LLC The Zone Labs logo, Check Point
Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point
Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat.
& TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC.
All other trademarks are the property of their respective owners.
Any reproduction of this alert other than as an unmodified copy of
this file requires authorization from Zone Labs. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by Zone Labs LLC.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists