Subject: Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC"
Date: Thu, 29 Sep 2005 16:43:00 -0700
Message-ID: <8D8863BB65A02F47A303E5B76661267102427DE8@exmb1.zonelabs.com.>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC"
Thread-Index: AcXFT4WKlPMH4KYPR8aPD9xFlFFKKg==
From: "Zone Labs Security Team" <security@zonelabs.com.>
To: <bugtraq@securityfocus.com.>, <full-disclosure@lists.grok.org.uk.>
X-OriginalArrivalTime: 29 Sep 2005 23:43:00.0894 (UTC) FILETIME=[870F43E0:01C5C54F]
X-Scanned-By: MIMEDefang 2.49 on 192.168.136.61
X-Virus-Scanned: antivirus-gw at tyumen.ru
Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro)
Using DDE-IPC"
Overview:=20
Debasis Mohanty published a notice about a potential security issue=20
with personal firewalls to several security email lists on=20
September 28th, 2005. Zone Labs has investigated his claims=20
and has determined that current versions of Zone Labs and=20
Check Point end-point security products are not vulnerable.
Description:=20
The proof-of-concept code published uses the Windows API function=20
ShellExecute() to launch a trusted program that is used to access=20
the network on behalf of the untrusted program, thereby accessing=20
the network without warning from the firewall.
Impact:=20
If successfully exploited, a malicious program may be able to=20
access the network via a trusted program. The ability to=20
access the network would be limited to the functionality of the=20
trusted program.
Unaffected Products:=20
ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,=20
and ZoneAlarm Security Suite version 6.0 or later automatically=20
protect against this attack in the default configuration.
ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,=20
and ZoneAlarm Security Suite version 5.5 are protected against=20
this attack by enabling the "Advanced Program Control" feature.
Check Point Integrity client versions 6.0 and 5.5 are protected=20
against this attack by enabling the "Advanced Program Control" feature.=20
Affected Products:
ZoneAlarm free versions lack the "Advanced Program Control"
feature and are therefore unable to prevent this bypass technique.
Recommended Actions:
Subscribers should upgrade to the latest version of their=20
ZoneAlarm product or enable the "Advanced Program Control" feature.
Related Resources:
Zone Labs Security Services http://www.zonelabs.com/security=20
Contact:=20
Zone Labs customers who are concerned about this vulnerability or=20
have additional technical questions may reach our Technical Support=20
group at: http://www.zonelabs.com/support/.=20
To report security issues with Zone Labs products contact=20
[email protected]. Note that any other matters sent to this=20
email address will not receive a response.
Disclaimer:=20
The information in the advisory is believed to be accurate at the=20
time of publishing based on currently available information. Use=20
of the information constitutes acceptance for use in an AS IS=20
condition. There are no warranties with regard to this information.=20
Neither the author nor the publisher accepts any liability for any=20
direct, indirect, or consequential loss or damage arising from use=20
of, or reliance on, this information. Zone Labs and Zone Labs=20
products, are registered trademarks of Zone Labs LLC. and/or=20
affiliated companies in the United States and other countries.=20
All other registered and unregistered trademarks represented in=20
this document are the sole property of their respective
companies/owners.
Copyright: (c)2005 Zone Labs LLC All rights reserved. Zone Labs,=20
TrueVector, ZoneAlarm, and Cooperative Enforcement are registered=20
trademarks of Zone Labs LLC The Zone Labs logo, Check Point=20
Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point=20
Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat.=20
& TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC.=20
All other trademarks are the property of their respective owners.
Any reproduction of this alert other than as an unmodified copy of=20
this file requires authorization from Zone Labs. Permission to=20
electronically redistribute this alert in its unmodified form is=20
granted. All other rights, including the use of other media, are=20
reserved by Zone Labs LLC.
