Re: Advisory:Multiple Vulnerabilities in ZoneAlarm

[Steve <smanzuik () TELUSPLANET NET>]

Comments in line with text.

> Unfortunately, ZoneAlarm does not allow its users to maintain a true
> understanding of their threat level and exposure. Attackers scanning a
> system employing ZoneAlarm will go unnoticed when using the common Nmap
> scan types ACK, FIN, Xmas, Window & Null. While these scans do not return
> lists of open ports to the attacker, the ZoneAlarm user is not aware of
> the probe or the possibility of attacks being directed against them.

But the scans do not provide any information so where is the security issue?
How is the typical home user at risk by not knowing that someone is scanning
them and not receiving any replies?

> In addition, a window of opportunity exists during the boot process, which
> allows a remote attacker access to shared resources available on the
> ZoneAlarm protected device. If file sharing is enabled via Windows

Did you actually test this?  Granted, Internet connectivity is available at
a small point before the Zone Alarm services start but there is a very small
window to be exploited.  Not only that, how do you suppose one detects when
a Zone Alarm users reboots his machine?  Plus, you would have literally
seconds (on my machines anyways) to get at the registry.  Plus, once Zone
Alarm starts, the netbios connection will no longer function and you will
not be able to finish any changes you have been making.

> According to the manufacturer, "More than 8 million PC users have
> downloaded ZoneAlarm", making it a very popular target indeed. Zone Labs
> has been advised of these vulnerabilities and no patch or work around has
> been provided.

I don't agree.  The window of opportunity is 1.) Very small and 2.)
Undetectable. The unreported port scans while they do not give the user any
warning or information, they also do not give the attacker any information
so I do not see where the harm is.

Regards;


Steve Manzuik
Moderator - Win2KSecAdvice