lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun Oct  2 19:58:25 2005
From: mail at hackingspirits.com (Debasis Mohanty)
Subject: Different Claims by ZoneLabs on the "Bypassing
	PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue

Paul, 

>> This does not include the version 3.7.159 you are testing.  

Didn't get the meaning by what you mean by "This does not include". Do u
mean whether or not version 3.7.159 is vulnerable it shouldn't be
conscidered??

>> In my interpretation of the report the vendor is not stating that said
version 
>> is "unaffected".   

Here is the snip from the vendor's advisory which has the section
"unaffected" Products - 
http://download.zonelabs.com/bin/free/securityAlert/35.html

<snip> 
Unaffected Products: 
====================
ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and
ZoneAlarm Security Suite version 6.0 or later automatically protect against
this attack in the default configuration.

ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and
ZoneAlarm Security Suite version 5.5 are protected against this attack by
enabling the "Advanced Program Control" feature.
</snip>

I am sure you haven't missed this in the advisory. Now there are two points
that I raised in my response to ZA Labs advisory are - 

1. 	Vendor giving a subjective statement as ZA Pro is unaffected. Does
this mean all versions of ZA Pro are 
	unaffected ??? I am afraid this is not the case, as mentioned
earlier and stating it again that ZA Pro version 
	3.7.159 is vulnerable.

2.	Zone Labs statement to news.com contradicts its own advisory which
states - 

	<news @ news.com>
	The issue affects the popular free ZoneAlarm firewall and default
installations of version 5.5 and earlier of the 
	paid product, maker Zone Labs said in a security advisory on
Thursday. Default installations of the Check Point 
	Integrity Client are also affected, but the paid ZoneAlarm 6.0
products, released in July, are not, Zone Labs said.
	
	Read more...here:
	
http://news.com.com/Malicious+code+could+trick+ZoneAlarm+firewall/2100-1002_
3-5886488.html
	</news @ news.com>

	Well, the statement given to news.com by Zone Labs seems to be
contradicting its own advisory. As per the statement 	to news.com -> The
affected versions are : 
	-	free ZoneAlarm firewall and 
	-	default installations of version 5.5 and 
	-	earlier of the paid product 
	-	Default installations of the Check Point Integrity Client
are also affected

	This statement contradicts the advisory released by Zone Labs....

	
>> Ergo... time to upgrade! 

Funny that you still think I have gone ahead with the test and a public
disclosure without knowing that they have a nice upgraded version available
;-) Don't mind but incase you have not read the PoC completely then kindly
read the "Solution" section in the PoC where I have mentioned about the
"Upgrade". :) 

- D




-----Original Message-----
From: Paul Laudanski [mailto:zx@...tlecops.com] 
Sent: Sunday, October 02, 2005 11:43 PM
To: Debasis Mohanty
Cc: 'Zone Labs Security Team'; bugtraq@...urityfocus.com;
full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Different Claims by ZoneLabs on the
"Bypassing PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue

On Sun, 2 Oct 2005, Debasis Mohanty wrote:

> Note: 
> This respose is especially towards Zone Labs Advisory on "Bypassing 
> PersonalFirewall (Zone Alarm Pro) Using DDE-IPC" issue.
> 
> 
> Hi,
> In your advisory
> (http://download.zonelabs.com/bin/free/securityAlert/35.html) 
> regarding this issue, you have mentioned that only the Free Version of 
> ZA is vulnerable and ZA Pro is in the un-affected list. Without 
> downplaying your advisory on this issue, I want to confirm that I have 
> tested this for ZA Pro 3.7.159 and found vulnerable. Although the current
version (6.0) is not vulnerable.
> 
> IMHO It will be a big mistake to conscider all versions of Zone Alarm 
> Pro is un-affected. ZoneLabs advisory on this is only valid for the 
> current version
> (6.0) of ZA Pro which I have tested and found it to be unaffected. 

Again, the ZAP report by the vendor indicates and I quote:

^^^
ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and
ZoneAlarm Security Suite version 6.0 or later automatically protect against
this attack in the default configuration. 

ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and
ZoneAlarm Security Suite version 5.5 are protected against this attack by
enabling the .Advanced Program Control. feature. 

Check Point Integrity client versions 6.0 and 5.1 are protected against this
attack by enabling the .Advanced Program Control. feature. 
^^^

This does not include the version 3.7.159 you are testing.  In my
interpretation of the report the vendor is not stating that said version 
is "unaffected".   Ergo... time to upgrade!

--
Paul Laudanski, Microsoft MVP Windows-Security CastleCops(SM),
http://castlecops.com



Powered by blists - more mailing lists