About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0

12 Nov 2001 21:55:20

Gregor starts the smoke machine.

Subject: FW: wired news story
   From: Michelle Delio
   Date: Mon, 12 Nov 2001 21:55:20
     To: Tom Liston, radsoft.net

Hi Guys,
Was sent out to cover the NYC crash early this am by a newswire 
service I contribute to (AFP) and had to reschedule the zone alarms 
interview. Meanwhile, answers to some 'starter' questions i emailed 
ZL are below. Note that I didn't identify either of you -- Tom, I 
said I had found a source who was willing to host a demo of the flaw 
and left it at that. ZA is interested in speaking to the 'source' 
but I'm not giving out any info until I get a go ahead from you 
both.
If either of you wants to reply to the below, great. The major thing 
is the dll (see below) -- Rick can you send me the dll he needs to 
run OB? Or do I send him a copy of my radsoft dll or what?..... 
apart from that, I'm totally brain dead, been breathing smoke and 
jet fuel all day, so I just glanced quickly at the below.
M

-----Original Message-----
From: Gregor Freund
Sent: Monday, November 12, 2001 1:35 PM
To: Michelle Delio
Cc: Te Smith; Mischa Garner
Subject: RE: wired news story


Michelle:

Sorry that we will be unable to speak this am. In the meantime I 
would like to respond to some of the questions you've raised. I 
still would appreciate the opportunity to talk to you:

1: Is zone alarm aware that data can pass through the firewall, 
underneath the socket level, without the product blocking or 
alerting users?

A: This is not correct. ZoneAlarm protects your system on two 
different levels:
- On the application level we determine if the application is 
allowed to access the Internet at all.
- On the adapter level we catch any unsolicited traffic from the 
outside and block any traffic that tries to bypass the application 
layer.

One possible cause for the misunderstanding is that our 
adapter-level firewall is not visible as a network driver using the 
standard Windows tools but links into NDIS (Microsoft Networking) 
dynamically. This is intentional because anything that's installed 
as an 'official' network driver could be uninstalled by another 
application such as a Trojan Horse. This is particularly an issue 
with Windows 95/98/ME.


2: What particularly concerned me was that the data could be 
transferred even after I engaged the 'internet lock' --all the other 
applications I had running did stop, but my drive was still 
accessible to the demo team via the internet. It would appear that 
there is no check at the packet level for outbound traffic --true?

A: Again, that's incorrect. Any traffic that bypasses the 
application layer gets automatically blocked. This has been 
independently confirmed by numerous sources and is an inherent 
design of ZoneAlarm. Unfortunately we are not able to recreate your 
environment and how your system has been modified - as I mentioned 
in an earlier email the demo app you've send us is missing a DLL 
module.


3: I was told that this is not a patchable issue, but is a design 
flaw that would require a major overhaul of ZoneAlarm. True?

A: Again, not true, this was always part of the core design of 
ZoneAlarm and ZoneAlarm Pro.


4: I happen to think that ZoneAlarm is an excellent product, and I 
have and will continue to recommend it highly to many people. But I 
am concerned that it's not as bulletproof as I believed it was. Will 
Zone alarm advise users that the product does not block all data 
transfer? What else should ZoneAlarm users be doing to truly lock 
down their machines? Perhaps a multi-tiered security plan?

A: Your support is appreciated and warranted as the basic 
assumptions of your source are not correct. ZoneAlarm and ZoneAlarm 
Pro have a full dynamic state full inspection firewall that blocks 
anything that bypasses the application layer. Having said this there 
is always a chance that on an insecure operating system like Windows 
someone finds a way around both layers. However that would be of a 
much more limited scope then the 'redesign' your source is 
suggesting. Normally if such a rare instance comes to our attention 
we rapidly issue a fix and automatically notify the affected users 
that an upgrade is available.


5: Any other comments you'd like to make?

A: I am looking forward to discuss the issue further with you. In 
order to determine if there is a limited vulnerability it would be 
helpful if we could get a complete version of the test code and the 
version of Windows you're running. Preferable we would also like to 
talk to your source - which would be a more standard process to 
handle suspected vulnerabilities.


Best Regards,

Gregor Freund
CEO, Zone Labs, Inc.
1060 Howard Street
San Francisco, CA 94103
http://www.zonelabs.com
+1 415 341-8202 (direct)
+1 415 341-8200 (office)
+1 415 558-9161 (mobile)
+1 415 723-7297 (fax)

Prev | TOC | Next

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.