Vendor response to "Local ZoneAlarm Firewall (probably all versions - tested on v3.1)"

["Corey Bridges" <cbridges () zonelabs com>]

[Hello. I apologize for sending this response to your vulnerability-reporting address, but it doesn't appear that you 
have a separate address for responses to the alerts you post. This is in response to Lord YuP's report, which he did 
not inform us of prior to posting. Please don't hesitate to contact me at the contact info below for additional 
information. Thank you.]
 
 

Following is the official Zone Labs response to "Local ZoneAlarm Firewall (probably all versions - tested on v3.1)" 
originally written by Lord YuP. 

 

 

Corey Bridges

Chief Editor of E-Communities

Zone Labs, Inc.

(v) 415.341.8355 

(f) 415.341.8299 

 

***

 

Zone Labs response to Device Driver Attack

 

OVERVIEW:  This vulnerability describes a way to send unauthorized commands to a Zone Labs device driver and 
potentially cause unexpected behavior. This proof-of-concept exploit represents a relatively low risk to Zone Labs 
users.  It is a “secondary” exploit that requires physical access to a machine or circumvention of other security 
measures included in Zone Labs consumer and enterprise products to exploit. We are working on a fix and will release it 
within 10 days.

 

EXPLOIT: The demonstration code is a proof-of-concept example that describes a potential attack against the Zone Labs 
device driver that is part of the TrueVector client security engine. In the exploit, a malicious application sends 
unauthorized commands to this device driver. The author also claims that this could potentially compromise system 
security. While we have verified that unauthorized commands could be sent to the device driver, we have not been able 
to verify that this exploit can actually affect system security. The code sample published was intentionally 
incomplete, to prevent malicious hackers from using it. 

 

RISK: We believe that the immediate risk to users from this exploit is low, for several reasons: this is a secondary 
attack, not a primary vulnerability created or allowed by our product. Successful exploitation of this vulnerability 
would require bypassing several other layers of protection in our products, including the stealth firewall and/or 
MailSafe email protection. To our knowledge, there are no examples of malicious software exploiting this vulnerability. 
Further, the code sample was written specifically to attack ZoneAlarm 3.1, an older version of our software. 

 

SOLUTION: Security for our users is our first concern, and we take reports of this kind seriously. We will be updating 
our products to address this issue by further strengthening protection for our device driver and will make these 
updates available in the next 10 days. Registered users who have enabled the "Check for Update" feature in ZoneAlarm, 
ZoneAlarm Plus, or ZoneAlarm Pro are informed by the software automatically whenever a new software update is released. 
Zone Labs will provide guidance to Integrity administrators regarding updating their client software.

 

CONTACT: Zone Labs customers who are concerned about the proof-of-concept Device Driver Attack or have additional 
technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp 
<http://www.zonelabs.com/store/content/support/support.jsp> 

 

ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this issue to our attention. However, we would 
prefer to be contacted at security () zonelabs com <mailto:security () zonelabs com>  prior to publication, in order to 
allow us to address any security issues up front.