Bugtraq mailing list archives
Re: Advisory:Multiple Vulnerabilities in ZoneAlarm
From: foobar () COTSE COM
Date: Fri, 22 Dec 2000 12:40:14 -0500
Comments in line with text.
Likewise
Unfortunately, ZoneAlarm does not allow its users to maintain a true understanding of their threat level and exposure. Attackers scanning a system employing ZoneAlarm will go unnoticed when using the common Nmap scan types ACK, FIN, Xmas, Window & Null. While these scans do not return lists of open ports to the attacker, the ZoneAlarm user is not aware of the probe or the possibility of attacks being directed against them.But the scans do not provide any information so where is the security issue? How is the typical home user at risk by not knowing that someone is scanning them and not receiving any replies?
Someone will find a use for this. Don't worry.
In addition, a window of opportunity exists during the boot process, which allows a remote attacker access to shared resources available on the ZoneAlarm protected device. If file sharing is enabled via WindowsDid you actually test this? Granted, Internet connectivity is available at a small point before the Zone Alarm services start but there is a very small window to be exploited. Not only that, how do you suppose one detects when a Zone Alarm users reboots his machine? Plus, you would have literally seconds (on my machines anyways) to get at the registry. Plus, once Zone Alarm starts, the netbios connection will no longer function and you will not be able to finish any changes you have been making.
Tested on a win98 PII fulltime ethernet connection. About a 20 second delay. Not acceptable. A new trojan can force a reboot and burrow in under that window. "Real" firewalls will engage their engine before the NIC starts communicating. Check against ICSA certification.
According to the manufacturer, "More than 8 million PC users have downloaded ZoneAlarm", making it a very popular target indeed. Zone Labs has been advised of these vulnerabilities and no patch or work around has been provided.I don't agree. The window of opportunity is 1.) Very small and 2.) Undetectable. The unreported port scans while they do not give the user any warning or information, they also do not give the attacker any information so I do not see where the harm is.
Where there is a window there is a way. Including the NT permission structure. Very simple. It needs to be fixed. And as the advisory states: Multiple Vulnerabilities in ZoneAlarm
Regards; Steve Manzuik Moderator - Win2KSecAdvice
Current thread:
- Advisory:Multiple Vulnerabilities in ZoneAlarm alerts (Dec 21)
- <Possible follow-ups>
- Re: Advisory:Multiple Vulnerabilities in ZoneAlarm Steve (Dec 21)
- Re: Advisory:Multiple Vulnerabilities in ZoneAlarm foobar (Dec 22)
- Re: Advisory:Multiple Vulnerabilities in ZoneAlarm Ian Bryant (Dec 26)
- Re: Advisory:Multiple Vulnerabilities in ZoneAlarm Stephen M. Milton (Dec 27)
- Re: Advisory:Multiple Vulnerabilities in ZoneAlarm Ian Bryant (Dec 26)