 |
 ZoneLabs will not fix a vulnerability in free version of Zone Alarm firewall.
July 3, 2003
ZoneLabs executives confirmed they will not fix a security flaw found in the freeware version of its ZoneAlarm firewall. The company said the vulnerability was a problem found in Windows operating system, not its firewall, and that it would require too much efforts and skills from the hacker to exploit it.
To escape the threat ZoneLabs recommends users to switch from the freeware version to ZoneAlarm Pro or ZoneAlarm Plus.
The info about the vulnerability was submitted to BugTraq mailing list on June 23th by a poster nicknamed "aceh".
According to the posting the vulnerability engages the Windows shell32.dll file, which can invoke the ShellExecute function. This function allows setting one of its parameters (lpFile) to a Web Address. When the function is run Windows will open default web browser in order to access that Web Address. When accessing the web address function can send user passwords and credit card numbers to malicious web server. The user can be even redirected to legitimate web address (like www.microsoft.com) and will not suspect anything.
"Aceh" tested this on ZoneAlarm 3.1.395 (freeware) but he claims "that all versions can be tricked if the user has granted access to his default web browser by default" which is very likely.
Although not stated clearly, but in order to exploit the flaw the hacker would have to plague a Trojan onto the victim's computer. Trojans are usually send as email attachments or by some other means and once executed or opened the Trojan infects the system.
"The likelihood of you being vulnerable with even our free product is very low," said Fred Felman, vice-president of products at ZoneLabs. "It would require you being very sloppy with how you treat your email and your email attachments, and what applications you allow access to the Internet." It would require code to be interjected on a PC either through administrative access or by opening a malicious email attachment, he said.
Furthermore, he said, since the vulnerability was tied to Windows, the vulnerability would also affect other firewall manufacturers and not just ZoneAlarm.
The situation reminds the famous leak tests (Firehole, TooLeaky etc) issues when firewall developers refused to fix it due it was Windows problem and not firewall's flaw. However most firewalls vendors finally blocked those leak tests by adding DLL control features to their applications.
Ironically ZoneLabs can make good use of this vulnerability by pushing users to switch from freeware to Pro or Plus version in order to escape the threat.
|
|
