Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
12 Nov 2001 21:55:20
Gregor starts the smoke machine.
Subject: FW: wired news story
From: Michelle Delio
Date: Mon, 12 Nov 2001 21:55:20
To: Tom Liston, radsoft.net
Hi Guys,
Was sent out to cover the NYC crash early this am by a newswire
service I contribute to (AFP) and had to reschedule the zone alarms
interview. Meanwhile, answers to some 'starter' questions i emailed
ZL are below. Note that I didn't identify either of you -- Tom, I
said I had found a source who was willing to host a demo of the flaw
and left it at that. ZA is interested in speaking to the 'source'
but I'm not giving out any info until I get a go ahead from you
both.
If either of you wants to reply to the below, great. The major thing
is the dll (see below) -- Rick can you send me the dll he needs to
run OB? Or do I send him a copy of my radsoft dll or what?.....
apart from that, I'm totally brain dead, been breathing smoke and
jet fuel all day, so I just glanced quickly at the below.
M
-----Original Message-----
From: Gregor Freund
Sent: Monday, November 12, 2001 1:35 PM
To: Michelle Delio
Cc: Te Smith; Mischa Garner
Subject: RE: wired news story
Michelle:
Sorry that we will be unable to speak this am. In the meantime I
would like to respond to some of the questions you've raised. I
still would appreciate the opportunity to talk to you:
1: Is zone alarm aware that data can pass through the firewall,
underneath the socket level, without the product blocking or
alerting users?
A: This is not correct. ZoneAlarm protects your system on two
different levels:
- On the application level we determine if the application is
allowed to access the Internet at all.
- On the adapter level we catch any unsolicited traffic from the
outside and block any traffic that tries to bypass the application
layer.
One possible cause for the misunderstanding is that our
adapter-level firewall is not visible as a network driver using the
standard Windows tools but links into NDIS (Microsoft Networking)
dynamically. This is intentional because anything that's installed
as an 'official' network driver could be uninstalled by another
application such as a Trojan Horse. This is particularly an issue
with Windows 95/98/ME.
2: What particularly concerned me was that the data could be
transferred even after I engaged the 'internet lock' --all the other
applications I had running did stop, but my drive was still
accessible to the demo team via the internet. It would appear that
there is no check at the packet level for outbound traffic --true?
A: Again, that's incorrect. Any traffic that bypasses the
application layer gets automatically blocked. This has been
independently confirmed by numerous sources and is an inherent
design of ZoneAlarm. Unfortunately we are not able to recreate your
environment and how your system has been modified - as I mentioned
in an earlier email the demo app you've send us is missing a DLL
module.
3: I was told that this is not a patchable issue, but is a design
flaw that would require a major overhaul of ZoneAlarm. True?
A: Again, not true, this was always part of the core design of
ZoneAlarm and ZoneAlarm Pro.
4: I happen to think that ZoneAlarm is an excellent product, and I
have and will continue to recommend it highly to many people. But I
am concerned that it's not as bulletproof as I believed it was. Will
Zone alarm advise users that the product does not block all data
transfer? What else should ZoneAlarm users be doing to truly lock
down their machines? Perhaps a multi-tiered security plan?
A: Your support is appreciated and warranted as the basic
assumptions of your source are not correct. ZoneAlarm and ZoneAlarm
Pro have a full dynamic state full inspection firewall that blocks
anything that bypasses the application layer. Having said this there
is always a chance that on an insecure operating system like Windows
someone finds a way around both layers. However that would be of a
much more limited scope then the 'redesign' your source is
suggesting. Normally if such a rare instance comes to our attention
we rapidly issue a fix and automatically notify the affected users
that an upgrade is available.
5: Any other comments you'd like to make?
A: I am looking forward to discuss the issue further with you. In
order to determine if there is a limited vulnerability it would be
helpful if we could get a complete version of the test code and the
version of Windows you're running. Preferable we would also like to
talk to your source - which would be a more standard process to
handle suspected vulnerabilities.
Best Regards,
Gregor Freund
CEO, Zone Labs, Inc.
1060 Howard Street
San Francisco, CA 94103
http://www.zonelabs.com
+1 415 341-8202 (direct)
+1 415 341-8200 (office)
+1 415 558-9161 (mobile)
+1 415 723-7297 (fax)
Prev | TOC | Next
|