Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

If you run ZoneAlarm or BlackICE, you might want to pay attention to this...

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

If you run ZoneAlarm or BlackICE, you might want to pay attention to this...

Old 02-16-04, 05:05 PM
  #1  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,808
If you run ZoneAlarm or BlackICE, you might want to pay attention to this...

eEye has discovered remote system-level vulnerabilities with both products, apparently affecting all versions of both.

http://www.eeye.com/html/Research/Up.../20040213.html

http://www.eeye.com/html/Research/Up...0040213-2.html

eEye is very legit. They discovered the recently announced ASN.1 vulns in MS NT/2K/XP.

Out of professional courtesy, eEye will not release any details on the vulns until the vendors have released patches to address them. You will want to patch your systems as soon as the patches are released.
jfoobar is offline  
Old 02-16-04, 08:46 PM
  #2  
DVD Talk God
 
Deftones's Avatar
 
Join Date: Oct 1999
Location: Arizona
Posts: 74,763
It appears that all Zone Labs wants people to do is update MS Windows with patch 828028. It links to the windows updater page.

So from the look of it, it's more a Microsoft issue that ZoneAlarm or BlackIce doesn't catch.

Thanks for the heads up.
Deftones is offline  
Old 02-17-04, 01:11 AM
  #3  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,808
Originally posted by Deftones, Esq
It appears that all Zone Labs wants people to do is update MS Windows with patch 828028. It links to the windows updater page.

So from the look of it, it's more a Microsoft issue that ZoneAlarm or BlackIce doesn't catch.

Thanks for the heads up.
I don't think that is it.
jfoobar is offline  
Old 02-17-04, 08:25 AM
  #4  
DVD Talk God
 
Deftones's Avatar
 
Join Date: Oct 1999
Location: Arizona
Posts: 74,763
Originally posted by JustinS
I don't think that is it.
Read this and tell me if I've missed something: http://download.zonelabs.com/bin/fre...tyAlert/7.html
Deftones is offline  
Old 02-18-04, 12:01 AM
  #5  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,808
Originally posted by Deftones, Esq
Read this and tell me if I've missed something: http://download.zonelabs.com/bin/fre...tyAlert/7.html
You've definitely missed something. That is nothing more than a ZoneLabs repackaging of the MS ASN.1 advisory posted on 100s of other security-related websites.

Also notice that the date of that advisory is 2/12, one day before eEye even reported the ZoneAlarm-related vulnerability and exploit to Checkpoint (who owns ZA).

The reason eEye has yet to post specific technical details about what they have discovered is that they are giving Checkpoint a chance to create a patch for the vulnerability before it is formally announced. This is how eEye and most other resposible infosec firms operate.

If you use ZA, you would be an unbelievable fool not to pay attention for the release of a new ZA version or patch in the next few weeks and upgrade/install immediately when it comes out. As soon as eEye posts the technical details, there will likely be expploit code available very soon after.
jfoobar is offline  
Old 02-18-04, 10:29 PM
  #6  
DVD Talk Godfather
 
Giantrobo's Avatar
 
Join Date: Apr 1999
Location: South Bay
Posts: 57,304
ZA sent a fix today. I assume it's for this problem.
Giantrobo is offline  
Old 02-19-04, 01:41 AM
  #7  
DVD Talk Gold Edition
 
Join Date: Jan 2002
Posts: 2,926
Originally posted by Giantrobo
ZA sent a fix today. I assume it's for this problem.
If it is then the vulnerability only affected those that used ZA on a mail server to my limited understanding.

http://download.zonelabs.com/bin/fre...tyAlert/8.html
abintra is offline  
Old 02-19-04, 02:47 AM
  #8  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,808
eEye still has not published. They will publish the second ZA releases a fix, I suspect.
jfoobar is offline  
Old 02-19-04, 02:55 PM
  #9  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,808
Looks I suspected wrong. It took them a couple of hours.

The vulnerability that abintra's link refers to is the vulnerability that eEye discovered.

===================================================
Massive hole undermines ZoneAlarm firewall
Popular protection software requires upgrade
19 February 2004

By Kieren McCarthy, Techworld

The extremely popular firewall, ZoneAlarm, has been dealt a nasty blow with a "highly critical" security hole that allows system access to remote users i.e. the worst possible situation.

The hole affects the most recent version of ZoneAlarm - version 4 - and users with the software's update facility turned on were this morning warned to upgrade and asked to download and run a 4.8MB patching file.

The vulnerability itself is an unchecked buffer in the fundamental e-mail protocol SMTP. ZoneAlarm's creators Zone Labs warned that sufficiently exploited, "a skilled attacker could cause the firewall to stop processing traffic, execute arbitrary code, or elevate malicious code’s privileges".

However, the company only gives the hole a "Medium" warning explaining that for the hole to be exploited, the system would have to be acting as an SMTP server and that ZoneLabs "does not recommend using our client security products to protect servers".

The hole itself was discovered by eEye Digital Security - the company which shot to fame last week for discovering the huge ASN hole in Windows.

Zone Labs recommends that all ZoneAlarm users upgrade their software. It has posted a webpage covering the hole with download links to its upgrades.
===================================================

Although to assert that eEye shot to fame last week is pretty silly.
jfoobar is offline  
Old 02-19-04, 11:32 PM
  #10  
DVD Talk Gold Edition
 
Join Date: Jan 2002
Posts: 2,926
eEye's description of the flaw was a little misleading since it needed to be in a very specific environment and not "A remotely-exploitable vulnerability that allows anonymous attackers to compromise default installations of the affected software and gain the highest possible level of access (SYSTEM)."
abintra is offline  
Old 02-20-04, 12:00 AM
  #11  
DVD Talk Hero
Thread Starter
 
jfoobar's Avatar
 
Join Date: Jun 2000
Posts: 37,808
Originally posted by abintra
eEye's description of the flaw was a little misleading since it needed to be in a very specific environment and not "A remotely-exploitable vulnerability that allows anonymous attackers to compromise default installations of the affected software and gain the highest possible level of access (SYSTEM)."
What they said is 100% true. It is only misleading in that they do not mention in their pre-publication research that a program listening on 25/tcp is needed to facilitate the compromise. It still affects the default installation of multiple versions of ZA and successful exploit would lead to SYSTEM-level access.

There is a reason they don't mention this prior to ZA releasing a patch. It is professional courtesy to not provide any technical details whatsoever prior to patch release by the vendor.

If anything is misleading, its ZoneLabs assigning a vulnerability that could lead to root via network a severity of "medium." They have taken quite a bit of **** for that in the security community.
jfoobar is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.