RE: Unsecure file permission of ZoneAlarm pro.

["Matthew Farrenkopf" <farrenkm () ohsu edu>]

"Todd Towles" <toddtowles () brookshires com> 8/20/2004 9:15:58 AM:
> Sorry John,
>
> I was confused between "Failing Closed" and "Failing Open". If
integrity
> checks fail, no traffic is passed. That is better than Microsoft's
> simple reg disable hack. 

However, this would still make it prime for a DoS attack by the next
strain of e-mail virus.  And most users who are not knowledgeable (those
who would be opening the attachment in the first place) would probably
not understand why they, now, cannot connect to the Internet.

Matt

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of John
LaCour
Sent: Friday, August 20, 2004 5:40 AM
To: bipin gautam; full-disclosure () lists netsys com 
Cc: Zone Labs Security Team
Subject: RE: [Full-disclosure] Unsecure file permission of ZoneAlarm
pro.

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There is absolutely no security issue here.

ZoneAlarm does not rely on file permissions to protect
any configuration files.   Configuration files are protected 
by our TrueVector(r) driver in the kernel. 

In addition to protecting configuration files against unauthorized
changes, there are additional integrity checks and other protection
mechanisms implemented for all policy configuration files.  Should any
policy configuration files fail integrity checks, the firewall will
fail
closed.

Again, no issue.

- --
John LaCour
Security Services Group Manager
Zone Labs LLC, A Check Point Company




> From: bipin gautam [mailto:visitbipin () yahoo com] 
> Sent: Thursday, August 19, 2004 7:51 PM
> To: full-disclosure () lists netsys com 
> Subject: [Full-disclosure] Unsecure file permission of ZoneAlarm
pro.
> Hello list,
>
> Zone Alarm stores its config. files in %windir%\Internet Logs\* . But

> strangely,
>
> ZoneAlarm sets the folder/file permission (NTFS) of %windir%\Internet

> Logs\* to,
>
> EVERYONE: Full
>
> after its first started.
>
> Even If you try to change the permission to...
>
> Administrator (s): full
> system: full
> users: read and execute
> [these are the default permissions]
>
> Strangely, the permission again changes back to...
> EVERYONE: Full each time
>
> ZoneAlarm Pro (ZAP) is started. I've tested these in zap 4.x and 5.x
>
>       This could prove harmful if we have a malicious program/user
running 
> with
>
> even with a user privilege on the system.
>
> Well a malicious program could modify those config file in a way ZAP

> will stop

[snip]

> Bipin Gautam

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQSXVCqeZbSyAsADEEQK9fgCeLLipKBn3Z7+PYj1E6GXkT0lubIgAnjCY
ssK9UOJxQn98yj/5x+tWiPzw
=OdxT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html