Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[VulnDiscuss] Vendor response to "Local ZoneAlarm Firewall (probably all versions - tested on v3.1)"
From: Corey Bridges (cbridgeszonelabs.com)
Date: Wed Aug 06 2003 - 22:40:05 CDT
[Hello. I apologize for sending this response to your vulnerability-reporting address, but it doesn't appear that you have a separate address for responses to the alerts you post. This is in response to Lord YuP's report, which he did not inform us of prior to posting. Please don't hesitate to contact me at the contact info below for additional information. Thank you.]
Following is the official Zone Labs response to "Local ZoneAlarm Firewall (probably all versions - tested on v3.1)" originally written by Lord YuP.
Chief Editor of E-Communities
Zone Labs, Inc.
Zone Labs response to Device Driver Attack
OVERVIEW: This vulnerability describes a way to send unauthorized commands to a Zone Labs device driver and potentially cause unexpected behavior. This proof-of-concept exploit represents a relatively low risk to Zone Labs users. It is a “secondary” exploit that requires physical access to a machine or circumvention of other security measures included in Zone Labs consumer and enterprise products to exploit. We are working on a fix and will release it within 10 days.
EXPLOIT: The demonstration code is a proof-of-concept example that describes a potential attack against the Zone Labs device driver that is part of the TrueVector client security engine. In the exploit, a malicious application sends unauthorized commands to this device driver. The author also claims that this could potentially compromise system security. While we have verified that unauthorized commands could be sent to the device driver, we have not been able to verify that this exploit can actually affect system security. The code sample published was intentionally incomplete, to prevent malicious hackers from using it.
RISK: We believe that the immediate risk to users from this exploit is low, for several reasons: this is a secondary attack, not a primary vulnerability created or allowed by our product. Successful exploitation of this vulnerability would require bypassing several other layers of protection in our products, including the stealth firewall and/or MailSafe email protection. To our knowledge, there are no examples of malicious software exploiting this vulnerability. Further, the code sample was written specifically to attack ZoneAlarm 3.1, an older version of our software.
SOLUTION: Security for our users is our first concern, and we take reports of this kind seriously. We will be updating our products to address this issue by further strengthening protection for our device driver and will make these updates available in the next 10 days. Registered users who have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus, or ZoneAlarm Pro are informed by the software automatically whenever a new software update is released. Zone Labs will provide guidance to Integrity administrators regarding updating their client software.
CONTACT: Zone Labs customers who are concerned about the proof-of-concept Device Driver Attack or have additional technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp <http://www.zonelabs.com/store/content/support/support.jsp>
ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this issue to our attention. However, we would prefer to be contacted at securityzonelabs.com <mailto:securityzonelabs.com> prior to publication, in order to allow us to address any security issues up front.