|Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
6 Nov 2001 22:42:06
TooLeaky comes out.
Subject: Re: Yoooooo Hooooooo!
From: Tom Liston
Date: Tue, 6 Nov 2001 22:42:06
I forwarded you a 'Handler's Diary 11/05/01' from incidents.org.
At least I think I did... This gettin' up early is messing w/my head.
Here's the stuff of interest:
TooLeaky or 'Why Your Firewall Sucks'
Bob Sundling has written a program that shows that the 'added
protection' offered by firewalls performing outbound filtering is
purely illusory. Today's firewalls perform outbound filtering by
ensuring that only 'trusted programs' are allowed to send and
receive data. However, malicious applications can commandeer
'trusted programs' and use them to communicate with the network.
Mr. Sundling reasons:
'If a firewall is going to allow some program (such as Internet
Explorer) to transmit and receive data over the Internet, and that
program allows other programs to control its actions, then there's
no point in blocking anything at all.'
Concerning his proof of concept program, Mr. Sundling writes: 'This
program will penetrate every firewall currently on the market that
claims to offer 'outbound' protection, because it does not send or
receive data itself. Instead, it uses a hidden Internet Explorer
window to do it. And, of course, everybody allows Internet Explorer
to send and receive data, otherwise using the Internet would be a
big pain in the you-know-what.'
The code is written in C++ and is quite small, weighing in at less
than 4 KB. The driving concept behind the program is very important.
*Any* sensitive information could be transmitted to *any* remote
site using this method, and the transmission would be invisible to
today's firewalls' outbound filtering mechanisms.
See the extensively commented source code for more details. Mr.
Sundling's motivation for writing the program lies in recent
discussions surrounding Steve Gibson's LeakTest program.
Prev | TOC | Next