SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   ZoneAlarm Vendors:   Zone Labs
ZoneAlarm Pro 4.0 May Drop Some Firewall Rules When Upgrading From a Previous Version
SecurityTracker Alert ID:  1007156
SecurityTracker URL:  http://securitytracker.com/id/1007156
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 10 2003
Impact:   Host/resource access via network
Vendor Confirmed:  Yes  
Version(s): 4.0
Description:   A security issue was reported in ZoneAlarm Pro 4.0. Some of the connection blocking features are not supported in the new version, counter to what the documentation may imply. Users that are upgrading may find that certain firewall rules have been silently dropped during the conversion.

The ZoneAlarm Pro manual indicates that "port rules for Programs" from a previous version of the software will be automatically converted to "expert rules" when upgrading to version 4.0. However, it is reported that some rules will not be converted because the new version does not support them.

According to the report, the expert rules cannot be used to block a specific program's outbound connections on a specific port number, but the user interface may indicate or imply otherwise.

For example, a port rule in the older version that blocks Outlook Express from using port 80 in the outbound direction will not be supported after upgrading, the report indicated.

Impact:   A user of the firewall may be able to make connections that, under the previous version, would have been blocked.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.zonelabs.com/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Zone Alarm Pro


Tested on Windows XP Home only.

Background:
------------

Due to the nature of the customers in my area and their lack of basic caring about what may be getting on to their systems, just caring
 about "Ease of use", I chose to use exactly what the major amount of my business customers would allow on their computers, being
 Win XP Home, ZA Pro, OE etc. The idea was that whatever would affect them would, hopefully, be found by me before they had it happen
 to them.

Problem:
--------

In doing this, I put ZA Pro on my system last year in order to check out "ease of use" which, once set up, was fine and given their
 strict email/browsing rules around here, seemed enough. Naturally, as they get spam and sometimes don't realise that which they are
 clicking on, I decided to use ZA Pro V3.7x to block port 80 outbound, for OE in an attempt to stop emails that they read "phoning
 home" and basically telling spammers, in the best scenario, that the mailbox is active no matter what they do with the email once
 read and in the worst scenario - well I leave that up to you. It is, to be sure, a basic way of handling things but when they pay
 you, then you have to make things easy if they flat out demand it and that was the case. In V3.7x this basic blocking - and blocking
 of other programs on other ports - worked and was "good enough" so long as I routinely visited them and checked out what they may
 have accumulated in the meantime. Then V4.x came out. The ability to blo!
 ck programs access per port had been totally removed. It had been replaced by "Expert Rules". A little investigation showed that
 now you could not define a port number of your choice to block but at least I could, according to those rules, block "HTTP" which
 I assumed, at first meant port 80 for OE and I set this up. That was where the problem started. I had mistakenly assumed it would
 work that way and in came a HTML email which contacted, on port 80, Internet in order to download graphics to put in the email. It
 actually did that. At first I thought it was my fault and did all sorts of permutations in order to fix the mistake but nothing changed.
 

Notification:
-------------

I notified Zone Labs starting 18th June 2003. Their first responses were that I had it set up wrong and I was willing to believe them,
 did what they said and it resulted in the same problem still being there. After a couple of emails back and forth, they finally told
 me that the rule that had existed in V3.7x had, in fact, been removed because "it wasn't being used" which is something I cant understand
 how they would know one way or another. They also NOW say that the "Expert Rules" are NOT meant to block OE outbound on port 80.
 However, when you set up a rule to do that using their predefined "HTTP" it actually defaults to port 80 according to the program
 then doesn't do a thing about it. According to Zone Labs, the ZA Pro can NOT block ANY program on port 80 any longer though the "Expert
 Rules" when set up, say something else.

Conclusion:
-----------

If you have customers who rely on you for the smooth running of their Windows machines and really don't understand the basics of a
 basic program like ZA Pro, you would be well advised to tell them NOT to update to V4.x and await the expiry date of their licence
 then find something that works properly.

Greg.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC