FIX for ZoneAlarm & KB951748 issue released

Guest PA Bear [MS MVP]

Posted July 17, 2008

Re: ZoneAlarm

Re: ZoneAlarm

Start a free Windows Update support incident request:

https://support.microsoft.com/oas/default.aspx?gprid=6527

Support for Windows Update:

http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling 1-866-PCSAFETY in

the United States and in Canada or by contacting your local Microsoft

subsidiary. There is no-charge for support calls that are associated with

security updates. When you call, clearly state that your problem is related

to a Security Update and cite the update's KB number (e.g., KB951748).

For enterprise customers, support for security updates is available through

your usual support contacts.

--

~Robear Dyer (PA Bear)

MS MVP-Windows (IE, OE, Security, Shell/User)

AumHa VSOP & Admin; DTS-L.net

CharlieG wrote:

> I see how you could reach that assumption. I was afraid that this would

> be

> the answer.

>

> Another poster seems concerned about me turning off ZoneAlarm. But on

> this

> FINAL machine with problems I uninstalled ZoneAlarm completely so that is

> NOT a consideration.

<snip>

Guest Paul (Bornival)

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

Hi,

"Root Kit" wrote:

> On Wed, 16 Jul 2008 00:04:54 -0700, Paul (Bornival)

> <PaulBornival@discussions.microsoft.com> wrote:

>

> >I'll give a simple example where outbound control would have prevented what

> >was nearly a disaster.

>

> Would have? - So it was a disaster?

>

> >One of our computer was inadvertently infected by a

> >malware that used the Outlook address book of the user and start sending

> >e-mails to all addressees...

>

> The key issue here is:

>

> How did this malware get in? - and why was it allowed to run in the

> first place? Because that part is security related. The rest is just

> damage control based on blind luck.

Well, as you know, it came stupidly by someone "from outside" sending an

infected e-mail before our university firewall had been updated to catch it.

I agree that this was a fault, but history is full of fortresses that should

never had been caught but eventually were, sometimes by very simple tricks.

So, prtection from otside is good, but what do you do when the ennemy is

inside ...

>

> > If ZA would have been installed, this would not

> >have happened because it can be configured to block the sending of mass

> >e-mails.

>

> Sure. Unfortunately, it can be configured to do a lot of nonsense.

I'ma not sure about that. You can, of course, also make a lot of non-sense

with many programs including ZA, but I did not see too much problems here if

you are a bit careful. Conversely, the WinXP SP2 firewall is not so easy to

master... (mainly because MS likes, as in many other cases, uses names

different from what other people use to design well known porcessse, which is

a wel known marketing trick, but this is another isssue with MS).

>

> >Outbound protection may not catch everythig and is not perfect, but

> >why not using it if you can ?

>

> For the same reason you don't constantly wear a helmet just in case

> someone drops something from an aero plane.

See my comment above. For sure, the helmet is not the best thing, and this

is why policemen also have rifles (which I do not like, but ...).

>

> Outbound protection (host based) is not for free. It comes at a cost

> which can be hard for layman to asses. The added system complexity of

> installing a bunch of potentially vulnerable code of questionable

> quality and functionality and the cons that follow from that, must be

> weighed against the possible pros.

Can you be more specific in this. How much more resources are really needed

to set up outbound protection in addition to inbound. What is the payload in

terms of CPU and memory usage ? To be clear, I do not see much difference

during operation between computers with and without ZA. The difference is

defiitely in the booting time, but once this is over, no real difference at

least for me.

> You make a computer secure by removing unnecessary stuff and fixing

> what is broken - not by adding further potentially vulnerable code to

> an already insecure code base.

Again, not usre about that. If we were to follow you, the only solution is

to stop using Windows at all and moving to Linux or Apple... The problem

with Windows is that its design was indeed quite open (which eventually

explains its success) but also a bit irresponsible...

>

Guest Paul (Bornival)

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

"Root Kit" wrote:

> On Wed, 16 Jul 2008 00:07:46 -0700, Paul (Bornival)

> <PaulBornival@discussions.microsoft.com> wrote:

>

> >The sucessfull attacks on WinXP computers I was were before the introduction

> >of SP2. This was completely and effectively avoided after installing ZA.

>

> True - but could easily have been avoided by shutting down unnecessary

> services, adding a simple packet filter or activating the build-in

> one.

- shutting down servies is nice ... but the trouble is that the MS

documentatin is so poor that you never know what you really do when you shut

down a service ... untill someone comes and complain that things do not work

any longer as they did before... Then you realize that you better not shut

down any service ... (I could luch longer about that, but, believe me, ther

are so many softwares that capitalize on existing "default" Windows services

that you think twice before shutting one down...).

- packet filters are nice, but are you going to implement them on 30

computers with different requirements ...

- the build-in firewall was so well hidden that I only discovered its

existence by accident, and it was not very esay to master... I guess MS never

advertised it because they knew how weak and inefficient it was. If what I

say is not true, why did not advertise it ?

>

> >When SP2 was introduced, I compared ZA with the SP2 firewall, and found that

> >ZA was eventually easier to adjust to our needs. This is why I remained

> >faithfl to ZA (and I'm not the only one...).

>

> I wonder what your needs are.

Oh simple... a workgroup with 30 computers in peer-to-peer configuration and

in a very open environment (each computer ahs a PUBLIC IP address - do not

ask me why, this is so - but each needs to be reachable from outside by me

and a few other authorized persons...; no domain as we had no one to be its

administrator and if the domain server fails, evryting fails ...). Seems

crasy, but since we got ZA on all machines, we simply have no more any

problem ...

> >Note that turning off WinXP network services was not possible (or largely

> >unpractical) given our needs of communication between computers.

>

> How do you expect ZA to protect services you need to make available?

Well, did YOU really tested ZA ?

>

Guest Paul (Bornival)

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

"Kayman" wrote:

> On Wed, 16 Jul 2008 00:07:46 -0700, Paul (Bornival) wrote:

>

> > "Root Kit" wrote:

> >

> >> On Sun, 13 Jul 2008 18:03:01 -0700, Paul (Bornival)

> >> <PaulBornival@discussions.microsoft.com> wrote:

> >>> (I did so after seeing my unprotected WinXP computers so easily

> >>>attacked ...).

>

> Educational reading (not only for Vista users).

>

> Managing the Windows Vista Firewall

> http://technet.microsoft.com/en-us/magazine/cc510323.aspx

I am amazed by how strongly people linked to MS state that outbound

filtering is unecessary or even countreproductive. Yet, other people, not

linked to MS, think otherwise. Why is it so ?

>

Guest Kerry Brown

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

I don't think very many people that understand security think outbound

filtering is not a useful thing to do. Many people that understand how

computers work think that relying on a software firewall to stop something

that is running on the same computer and has the same or higher privileges

as the firewall isn't a good thing or even possible. Outbound filtering is

very useful for some situations. Outbound filtering to stop malware where

the filtering and the malware are on the same computer is a fool's game. For

security outbound filtering is best done by something that is not running on

the computer to be filtered. For other reasons, like blocking p2p traffic or

messenger traffic (i.e. non-malicious traffic) outbound filtering via

software on the computer works but I still prefer to do this elsewhere.

Filtering like this means you are trying to restrict the user from doing

something. Using software on the computer the computer to restrict the user

is also a fool's errand. Anyone who has physical access to the computer and

a little bit of knowledge can bypass it.

--

Kerry Brown

MS-MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

http://vistahelpca.blogspot.com/

"Paul (Bornival)" <PaulBornival@discussions.microsoft.com> wrote in message

news:BC8524D9-8E8D-4B87-8BEA-6C371426A975@microsoft.com...

>

> "Kayman" wrote:

>

>> On Wed, 16 Jul 2008 00:07:46 -0700, Paul (Bornival) wrote:

>>

>> > "Root Kit" wrote:

>> >

>> >> On Sun, 13 Jul 2008 18:03:01 -0700, Paul (Bornival)

>> >> <PaulBornival@discussions.microsoft.com> wrote:

>> >>> (I did so after seeing my unprotected WinXP computers so easily

>> >>>attacked ...).

>>

>> Educational reading (not only for Vista users).

>>

>> Managing the Windows Vista Firewall

>> http://technet.microsoft.com/en-us/magazine/cc510323.aspx

>

> I am amazed by how strongly people linked to MS state that outbound

> filtering is unecessary or even countreproductive. Yet, other people, not

> linked to MS, think otherwise. Why is it so ?

>

>>

Guest H.S.

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

Paul (Bornival) wrote:

>

> I am amazed by how strongly people linked to MS state that outbound

> filtering is unecessary or even countreproductive. Yet, other people, not

> linked to MS, think otherwise. Why is it so ?

>

Looks like MS does not want to invest time and resources in developing a

full firewall and is thus marketing and trying to convince its users

that outbound control is unnecessary.

Historically, MS has wanted their OS to be used by dumb average Joe

users and thus tuned its system as such. Consequently, they compromised

on multiuser features, restricted user usage habits and proper computer

terminology. Result: Almost all users believe Windows must be run in

admin mode. They do not gain any basic knowledge about computers which

is commonplace among computer technologists (MS uses its own

nomenclature, as you mentioned, probably based on recommendations by

marketing drones). All this leads to significant ignorance of important

issues related to computer security.

But to be fair, these marketing strategies also resulted in the boom of

personal computer.

Also, the strict control over licenses also played a very important role

in making Linux what it is today: secure, open source and, these days,

with better GUI than Windows in many respects. Had Windows been "open",

maybe there would not have been as much impetus in making Linux distros

so user friendly. I have myself seen that current version of Ubuntu is

much more easier to install than Windows!

Guest H.S.

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

Kerry Brown wrote:

> I don't think very many people that understand security think outbound

> filtering is not a useful thing to do. Many people that understand how

> computers work think that relying on a software firewall to stop

> something that is running on the same computer and has the same or

> higher privileges as the firewall isn't a good thing or even possible.

> Outbound filtering is very useful for some situations. Outbound

Here is another one: I do not like that every time I open an MS

application (Word, Excel, Windows ... ), it tries to talk to Microsoft.

My firewall warns me about it and I deny it.

Now, I have no idea why the application is trying to phone home. Why

should it? The only reason I would accept is if it is trying to find

updates. Well, in that case, I would rather do that myself, thank you

very much. Online help? No, don't need it. Any other reasons? Sorry, now

you are invading my privacy.

Guest PA Bear [MS MVP]

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

H.S. wrote:

> Looks like MS does not want to invest time and resources in developing a

> full firewall and is thus marketing and trying to convince its users

> that outbound control is unnecessary.

No one here works for or represents MS, including MVPs.

The Windows Firewall is inbound/outbound.

Guest PA Bear [MS MVP]

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

H.S. wrote:

> Kerry Brown wrote:

>> I don't think very many people that understand security think outbound

>> filtering is not a useful thing to do. Many people that understand how

>> computers work think that relying on a software firewall to stop

>> something that is running on the same computer and has the same or

>> higher privileges as the firewall isn't a good thing or even possible.

>> Outbound filtering is very useful for some situations. Outbound

>

> Here is another one: I do not like that every time I open an MS

> application (Word, Excel, Windows ... ), it tries to talk to Microsoft.

> My firewall warns me about it and I deny it.

Office Help is now online, d00d. Wake up and smell the coffee.

Guest H.S.

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

PA Bear [MS MVP] wrote:

>> Here is another one: I do not like that every time I open an MS

>> application (Word, Excel, Windows ... ), it tries to talk to Microsoft.

>> My firewall warns me about it and I deny it.

>

> Office Help is now online, d00d. Wake up and smell the coffee.

Did you even read the rest of my post? Why are you snipping the relevant

parts?

Guest H.S.

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

PA Bear [MS MVP] wrote:

>

> The Windows Firewall is inbound/outbound.

On XP Pro? Didn't think so.

Guest Shenan Stanley

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

Conversation in entirety:

http://groups.google.com/group/microsoft.public.security/browse_frm/thread/f691e0bbe3886038/b3486be8412ee2af?lnk=st&q=#b3486be8412ee2af

This is one of those debates like *nix vs. Windows vs. OS X.

Nothing is proven on any side, examples abound (some truthful and realistic

from the single instance, some not so much) and nothing but emotions and

egos get exposed.

Personal experience and outside articles are quoted a lot. Some good for

that single instance in time, others pulled from myth and legend and still

others might actually hold up over scrutiny (the latter is often over-looked

in the debate and glossed over at every turn by those opposed to the topic.)

Ideas like "outbound only catches the stuff you already have and who says

the application in question did not just change your outbound rules as you

installed it so you still don't know you have it?" and "I like to know when

something attempts to 'call home'" seem to cover most of the arguments.

(Sound like "Windows has more security holes than other OSes" and "Macs just

don't get viruses"...? Yeah - same type of arguments. heh)

In the end - both are right, both are wrong. It's a personal preference.

It's a way of computing, a mind-set, a need. I know many people who have

ran many different OSes for many many years without a single instance of

infection/infestation and they run no antivirus software and no antispyware

software. They continuously (when someone finds out) get questions like

"how do you know you actually don't have a virus or spyware/adware if you

don't run anythign to prevent/check for it?"

In the end - I just go by the idea that making things more complicated is

seldom the proper course of action... Simplistic solutions are usually the

most effective and the most eloquent.

So which way do _I_ lean? Doesn't matter.

Each person has their own reasoning behind whatever it is they do. I have

used many different solutions (I do like to try things - see what I can

learn and find) - and I do offer advice on the ones I tried that seemingly

did their jobs without _over-complicating_ my life just to keep it working.

However - I know that will be different for each person, and I cannot say

which is less complicated for any one of them. Advice: Try each solution

*if* this whole topic has any importance to you.

All anyone here can offer is that someone practice some common sense. The

world is dangerous - your computer gives you options the rest of the world

does not (I cannot backup my car so that when I get in a wreck, I just

reload for near instant recovery) - use them. Protect yourself when you can

(Equate each of these to something on your computer: lock your doors to make

it harder for intruders to get in while you are there *or* away, wear a coat

when it is cold, wear sunglasses to protect your eyes, put on sunscreen to

protect your skin, brush your teeth to prevent cavities, pick up 'your

room', take out the garbage, cover your face when you cough/sneeze, store

copies of important documents(life insurance, will, deeds, etc) far away

from the originals, etc.)

I know someone could pull one (or more) argument for one side or the other

out of those - I could do it right now. heh

The point - if the solution for everyone was obvious and one-sided - there

would be no discussion. Being that each person is unique with differing

experiences and external facts that help support their own experiences - the

discussion is never-ending. Not one person here can definitively win their

argument (even if you get rid of every actual 'crazy argument' -- although

who decides that is yet another debate. hah)

Interesting that a discussion about a particular patch that exasperated a

problem in a particular piece of software could spawn a conversation along

these lines... And the subject line stays the same through out. Amazing

really.

--

Shenan Stanley

MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

Guest Kerry Brown

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

That is the only reason I can think of to use outbound filtering running on

the computer. Personally I'm not that paranoid about programs I install

phoning home. In most cases I prefer that they do. Specifically in

Microsoft's case I let it send the reports about how the program is working

on my computer. These reports are anonymous and used to improve the product

and fix bugs. For me that's a good thing. I do understand that some people

don't think about this in the same way. In most cases this reporting can be

turned off from within the program but it is often buried in an out of the

way place. If this is your concern then by all means install a 3rd party

firewall and use it to block this type of traffic. The whole point of my

posts is not related to this. The point I'm trying to make is that one

application cannot be relied on to block malicious outbound traffic from

another application on the same computer. The traffic you want to block is

not malicious or trying to hide in any way.

--

Kerry Brown

MS-MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

http://vistahelpca.blogspot.com/

"H.S." <hs.samREMOVEMEix@google.com> wrote in message

news:e0JpJEF6IHA.4852@TK2MSFTNGP03.phx.gbl...

> Kerry Brown wrote:

>> I don't think very many people that understand security think outbound

>> filtering is not a useful thing to do. Many people that understand how

>> computers work think that relying on a software firewall to stop

>> something that is running on the same computer and has the same or higher

>> privileges as the firewall isn't a good thing or even possible. Outbound

>> filtering is very useful for some situations. Outbound

>

> Here is another one: I do not like that every time I open an MS

> application (Word, Excel, Windows ... ), it tries to talk to Microsoft. My

> firewall warns me about it and I deny it.

>

> Now, I have no idea why the application is trying to phone home. Why

> should it? The only reason I would accept is if it is trying to find

> updates. Well, in that case, I would rather do that myself, thank you very

> much. Online help? No, don't need it. Any other reasons? Sorry, now you

> are invading my privacy.

>

Guest Kayman

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

On Thu, 17 Jul 2008 13:07:01 -0700, Paul (Bornival) wrote:

<snip>

> - shutting down servies is nice ... but the trouble is that the MS

> documentatin is so poor that you never know what you really do when you shut

> down a service ... untill someone comes and complain that things do not work

> any longer as they did before... Then you realize that you better not shut

> down any service ... (I could luch longer about that, but, believe me, ther

> are so many softwares that capitalize on existing "default" Windows services

> that you think twice before shutting one down...).

Disable any unnecessary and potentially dangerous Services

Configure and adjust Services to suit your computing needs

Windows XP Service Pack 3 Service Configurations

http://www.blackviper.com/WinXP/servicecfg.htm

(This can be a tedious exercise but will bear fruits later on!).

Guest Kayman

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

On Thu, 17 Jul 2008 13:25:01 -0700, Paul (Bornival) wrote:

> "Kayman" wrote:

>

>> On Wed, 16 Jul 2008 00:07:46 -0700, Paul (Bornival) wrote:

>>

>>> "Root Kit" wrote:

>>>

>>>> On Sun, 13 Jul 2008 18:03:01 -0700, Paul (Bornival)

>>>> <PaulBornival@discussions.microsoft.com> wrote:

>>>>> (I did so after seeing my unprotected WinXP computers so easily

>>>>>attacked ...).

>>

>> Educational reading (not only for Vista users).

>>

>> Managing the Windows Vista Firewall

>> http://technet.microsoft.com/en-us/magazine/cc510323.aspx

>

> I am amazed by how strongly people linked to MS state that outbound

> filtering is unecessary or even countreproductive. Yet, other people, not

> linked to MS, think otherwise. Why is it so ?

>

>>

You are wrong! Keep on lurking and you'll see why :-)

Guest Leonard Grey

Posted July 17, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

"Looks like MS does not want to invest time and resources in developing

a full firewall..."

Sheesh, they got into enough trouble for bundling a web browser and a

media player. Now you want them to bundle a firewall?

---

Leonard Grey

Errare humanum est

H.S. wrote:

> Paul (Bornival) wrote:

>>

>> I am amazed by how strongly people linked to MS state that outbound

>> filtering is unecessary or even countreproductive. Yet, other people,

>> not linked to MS, think otherwise. Why is it so ?

>>

>

> Looks like MS does not want to invest time and resources in developing a

> full firewall and is thus marketing and trying to convince its users

> that outbound control is unnecessary.

>

> Historically, MS has wanted their OS to be used by dumb average Joe

> users and thus tuned its system as such. Consequently, they compromised

> on multiuser features, restricted user usage habits and proper computer

> terminology. Result: Almost all users believe Windows must be run in

> admin mode. They do not gain any basic knowledge about computers which

> is commonplace among computer technologists (MS uses its own

> nomenclature, as you mentioned, probably based on recommendations by

> marketing drones). All this leads to significant ignorance of important

> issues related to computer security.

>

> But to be fair, these marketing strategies also resulted in the boom of

> personal computer.

>

> Also, the strict control over licenses also played a very important role

> in making Linux what it is today: secure, open source and, these days,

> with better GUI than Windows in many respects. Had Windows been "open",

> maybe there would not have been as much impetus in making Linux distros

> so user friendly. I have myself seen that current version of Ubuntu is

> much more easier to install than Windows!

>

Guest Kayman

Posted July 18, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

On Thu, 17 Jul 2008 17:06:50 -0400, H.S. wrote:

> Kerry Brown wrote:

>> I don't think very many people that understand security think outbound

>> filtering is not a useful thing to do. Many people that understand how

>> computers work think that relying on a software firewall to stop

>> something that is running on the same computer and has the same or

>> higher privileges as the firewall isn't a good thing or even possible.

>> Outbound filtering is very useful for some situations. Outbound

>

> Here is another one: I do not like that every time I open an MS

> application (Word, Excel, Windows ... ), it tries to talk to Microsoft.

> My firewall warns me about it and I deny it.

>

> Now, I have no idea why the application is trying to phone home. Why

> should it? The only reason I would accept is if it is trying to find

> updates. Well, in that case, I would rather do that myself, thank you

> very much. Online help? No, don't need it. Any other reasons? Sorry, now

> you are invading my privacy.

The situation is very simple; If you don't trust an application then don't

install it in the first place!

Read EULA prior installing software and if deemed to be 'trustworthy' find

out reasons as to why it is phoning home. If you still don't like it

disable this function.

Guest Kayman

Posted July 18, 2008

Re: FIX for ZoneAlarm & KB951748 issue released

On Thu, 17 Jul 2008 17:02:23 -0400, H.S. wrote:

> Paul (Bornival) wrote:

>>

>> I am amazed by how strongly people linked to MS state that outbound

>> filtering is unecessary or even countreproductive. Yet, other people, not

>> linked to MS, think otherwise. Why is it so ?