Re: Advisory:Multiple Vulnerabilities in ZoneAlarm

[foobar () COTSE COM]

> Comments in line with text.

Likewise

> > Unfortunately, ZoneAlarm does not allow its users to maintain a true
> > understanding of their threat level and exposure. Attackers scanning a
> > system employing ZoneAlarm will go unnoticed when using the common Nmap
> > scan types ACK, FIN, Xmas, Window & Null. While these scans do not return
> > lists of open ports to the attacker, the ZoneAlarm user is not aware of
> > the probe or the possibility of attacks being directed against them.
>
> But the scans do not provide any information so where is the security issue?
> How is the typical home user at risk by not knowing that someone is scanning
> them and not receiving any replies?

Someone will find a use for this. Don't worry.

> > In addition, a window of opportunity exists during the boot process, which
> > allows a remote attacker access to shared resources available on the
> > ZoneAlarm protected device. If file sharing is enabled via Windows
>
> Did you actually test this?  Granted, Internet connectivity is available at
> a small point before the Zone Alarm services start but there is a very small
> window to be exploited.  Not only that, how do you suppose one detects when
> a Zone Alarm users reboots his machine?  Plus, you would have literally
> seconds (on my machines anyways) to get at the registry.  Plus, once Zone
> Alarm starts, the netbios connection will no longer function and you will
> not be able to finish any changes you have been making.

Tested on a win98 PII fulltime ethernet connection. About a 20 second delay.
Not acceptable. A new trojan can force a reboot and burrow in under that
window. "Real" firewalls will engage their engine before the NIC starts
communicating. Check against ICSA certification.

> > According to the manufacturer, "More than 8 million PC users have
> > downloaded ZoneAlarm", making it a very popular target indeed. Zone Labs
> > has been advised of these vulnerabilities and no patch or work around has
> > been provided.
>
> I don't agree.  The window of opportunity is 1.) Very small and 2.)
> Undetectable. The unreported port scans while they do not give the user any
> warning or information, they also do not give the attacker any information
> so I do not see where the harm is.

Where there is a window there is a way.

Including the NT permission structure.

Very simple. It needs to be fixed.

And as the advisory states: Multiple Vulnerabilities in ZoneAlarm

> Regards;
>
> Steve Manzuik
> Moderator - Win2KSecAdvice