Zone Labs: Anatomy of a Coverup

How angels stay clean and scandals stay silent.

Part Nine - Upping The Ante

Bob Sundling and Rob Keir recently discovered yet another way of fooling Zone Alarm - by hooking into the address space of an approved application.

This can be done with the SetWindowsHookEx API, which is a descendant of the SetWindowsHook API, which has been around for ages, perhaps as long as Windows itself, the autumn of 1983.

But note: This was not a news scoop orchestrated by John McAfee. This was not a bit of calculated hysteria thrown into the pot by Gibson on orders from his benefactor. From the point of view of M3 The McAfee Money Machine, this was an accident.

When asked by CNET to explain this latest blooper, Freund called it outright 'a Microsoft bug'. Zone Alarm need not eradicate SetWindowsHookEx to control outbound traffic. If it had been looking for traffic at the right level, neither 'trick' would ever have worked.

But SetWindowsHookEx is not a bug. And ironically, what neither of these programmers bothered checking while they were climbing walls trying to get out third floor windows, was whether maybe the front door was unlocked and provided a much easier way out. A way that would have let them out even with the Internet Lock on 'full throttle', supposedly stopping ALL traffic.

The front door was indeed unlocked. In fact it was wide open.

Prev | TOC | Next