Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
ZoneAlarm Pro 4.0 May Drop Some Firewall Rules When Upgrading From a Previous Version
|
|
SecurityTracker Alert ID: 1007156 |
|
SecurityTracker URL: http://securitytracker.com/id/1007156
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 10 2003
|
Impact:
Host/resource access via network
|
Vendor Confirmed: Yes
|
Version(s): 4.0
|
Description:
A security issue was reported in ZoneAlarm Pro 4.0. Some of the connection blocking features are not supported in the new version, counter to what the documentation may imply. Users that are upgrading may find that certain firewall rules have been silently dropped during the conversion.
The ZoneAlarm Pro manual indicates that "port rules for Programs" from a previous version of the software will be automatically converted to "expert rules" when upgrading to version 4.0. However, it is reported that some rules will not be converted because the new version does not support them.
According to the report, the expert rules cannot be used to block a specific program's outbound connections on a specific port number, but the user interface may indicate or imply otherwise.
For example, a port rule in the older version that blocks Outlook Express from using port 80 in the outbound direction will not be supported after upgrading, the report indicated.
|
Impact:
A user of the firewall may be able to make connections that, under the previous version, would have been blocked.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.zonelabs.com/ (Links to External Site)
|
Cause:
Configuration error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 10 Jul 2003 08:00:44 +1000
Subject: [Full-Disclosure] Zone Alarm Pro
|
Tested on Windows XP Home only.
Background:
------------
Due to the nature of the customers in my area and their lack of basic caring about what may be getting on to their systems, just caring
about "Ease of use", I chose to use exactly what the major amount of my business customers would allow on their computers, being
Win XP Home, ZA Pro, OE etc. The idea was that whatever would affect them would, hopefully, be found by me before they had it happen
to them.
Problem:
--------
In doing this, I put ZA Pro on my system last year in order to check out "ease of use" which, once set up, was fine and given their
strict email/browsing rules around here, seemed enough. Naturally, as they get spam and sometimes don't realise that which they are
clicking on, I decided to use ZA Pro V3.7x to block port 80 outbound, for OE in an attempt to stop emails that they read "phoning
home" and basically telling spammers, in the best scenario, that the mailbox is active no matter what they do with the email once
read and in the worst scenario - well I leave that up to you. It is, to be sure, a basic way of handling things but when they pay
you, then you have to make things easy if they flat out demand it and that was the case. In V3.7x this basic blocking - and blocking
of other programs on other ports - worked and was "good enough" so long as I routinely visited them and checked out what they may
have accumulated in the meantime. Then V4.x came out. The ability to blo!
ck programs access per port had been totally removed. It had been replaced by "Expert Rules". A little investigation showed that
now you could not define a port number of your choice to block but at least I could, according to those rules, block "HTTP" which
I assumed, at first meant port 80 for OE and I set this up. That was where the problem started. I had mistakenly assumed it would
work that way and in came a HTML email which contacted, on port 80, Internet in order to download graphics to put in the email. It
actually did that. At first I thought it was my fault and did all sorts of permutations in order to fix the mistake but nothing changed.
Notification:
-------------
I notified Zone Labs starting 18th June 2003. Their first responses were that I had it set up wrong and I was willing to believe them,
did what they said and it resulted in the same problem still being there. After a couple of emails back and forth, they finally told
me that the rule that had existed in V3.7x had, in fact, been removed because "it wasn't being used" which is something I cant understand
how they would know one way or another. They also NOW say that the "Expert Rules" are NOT meant to block OE outbound on port 80.
However, when you set up a rule to do that using their predefined "HTTP" it actually defaults to port 80 according to the program
then doesn't do a thing about it. According to Zone Labs, the ZA Pro can NOT block ANY program on port 80 any longer though the "Expert
Rules" when set up, say something else.
Conclusion:
-----------
If you have customers who rely on you for the smooth running of their Windows machines and really don't understand the basics of a
basic program like ZA Pro, you would be well advised to tell them NOT to update to V4.x and await the expiry date of their licence
then find something that works properly.
Greg.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
