Bugtraq mailing list archives
Re: Zonealarm exports sensitive data
From: brett () LARIAT ORG (Brett Glass)
Date: Fri, 25 Feb 2000 18:17:28 -0700
It should be noted that BlackICE Defender, a competitive product, does precisely the same thing if one clicks on the "AdvICE" button. Since the attack information displayed by the program's graphical interface is quite brief (there's more in the log files, but only sophisticated users will know how to find and read them), users are strongly motivated to click the button. I do not know whether the URLs sent by either product are being used to gather statistics on the frequency of attacks or as a means of piracy detection. They certainly could be, if the vendors had a mind to do so. --Brett Glass At 12:40 AM 2/25/2000 , Andrew Daviel wrote:
ZoneAlarm by zonelabs.com can export possibly sensitive data if the "More Info" button is clicked from an alert. ZoneAlarm is a personal dynamic firewall for Windows 9x/NT. When a rule is triggered (typically an inbound connection to an unregistered or alarmed service) an alert box appears with a brief description of the event and a button labelled "More Info". When this is clicked a URL is passed to the user's Web browser sending information to Zone Labs' server for more detailed explanation. Currently (version 2.0.26) the information passed includes: Source Address and Port Destination Address and Port Operating system version Firewall version Whether the connection was blocked The lock status of the firewall All this information is sent in clear as an HTTP GET request (port 80). It could possibly be seen on the Internet in transit or in proxy logs, and may include information about machines on an internal network inside a corporate firewall. The request itself could be blocked by ZoneAlarm, but it is likely that the setting for the Web browser would allow it to access the external network (Internet). It is fairly simple to edit the .EXE file to disable this feature, or to redirect it to a local server. (IMO the benefits from using the product outweigh the risks of this data leak....) Andrew Daviel Vancouver Webpages etc.
Current thread:
- Re: How the password could be recover using FTP Explorer's registry!, (continued)
- Re: How the password could be recover using FTP Explorer's registry! Rishi Lee Khan (Feb 27)
- Re: How the password could be recover using FTP Explorer's registry! Mikael Olsson (Feb 26)
- Re: How the password could be recover using FTP Explorer's registry! Jeffrey Paul (Feb 28)
- lynx - someone is deaf and blind ;) Michal Zalewski (Feb 27)
- EZ Shopper 3.0 shopping cart CGI remote command execution suid () SUID KG (Feb 27)
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Alex Heiphetz (Feb 28)
- W2K & ~25000+ temp files = crash + corruption? Clifford Hammerschmidt (Feb 28)
- ALERT!: TendMicro InterScan (DOS & intrusion) Veille Technologique (Feb 28)
- Advisory: Foundry Networks ServerIron TCP/IP sequence predictability Andrew van der Stock (Feb 27)
- Zonealarm exports sensitive data Andrew Daviel (Feb 24)
- Re: Zonealarm exports sensitive data Brett Glass (Feb 25)
- Re: Zonealarm exports sensitive data Robert Graham (Feb 28)
- man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 26)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Mark Whitis (Feb 27)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 27)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 28)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 28)