Malicious code could trick ZoneAlarm firewall

["Fergie (Paul Ferguson)" <fergdawg () netzero net>]

Via C|Net News:

[snip]

Malicious code masquerading as a trusted application could trick a firewall from ZoneAlarm into letting it connect to 
the Internet, security experts have warned.

The issue affects the popular free ZoneAlarm firewall and default installations of version 5.5 and earlier of the paid 
ZoneAlarm products, Zone Labs said in a security advisory on Thursday. Default installations of the Check Point 
Integrity Client are also affected, but the paid ZoneAlarm 6.0 products, released in July, are not, the company said.

"If successfully exploited, a malicious program may be able to access the network via a trusted program," Zone Labs, 
which is part of Check Point Software, said in its advisory. If the malicious program attempted a direct connection to 
the Internet, it would be blocked by the firewall.

An example of the technique was published earlier this week by security researcher Debasis Mohanty. The method uses a 
Windows mechanism for linking applications, according to Mohanty, who also said the problem may exist in other firewall 
products.

An attacker could trick the firewall by linking a malicious program, such as a keystroke logger, to another 
application, for example, Internet Explorer. When the keystroke logger subsequently sends its captured data out, the 
firewall would see IE accessing the Internet, not the spyware, and allow the connection.

[snip]

http://news.com.com/Malicious+code+could+trick+ZoneAlarm+firewall/2100-1002_3-5886488.html

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.