Jump to content

FIX for ZoneAlarm & KB951748 issue released


Recommended Posts

Guest Harry Johnston [MVP]
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

John John (MVP) wrote:

>> As far as I recall, nobody in this thread has ever said otherwise. The

>> discussion is about software firewalls, after all!

> Read Kayman's posts, specifically:

 

[John John quoting Kayman:] "Fact: Outbound control on an XP platform as a

security measure against malware is still utter nonsense. The windows platform

was designed with usability in mind providing all kinds of possibilities for

e.g. inter-process communication."

 

Kayman is obviously talking about software firewalls here, since otherwise IPC

would be irrelevant. I can't speak for Kayman, of course, but I'd guess he

simply missed the fact that you'd unexpectedly changed the subject.

 

... on the other hand, and speaking only for myself, I don't see how external

egress filtering is going to help much; how is the device to distinguish between

legitimate and illegitimate traffic? (Well, OK, there's the obvious case of

spam engines, but apart from that ...)

 

Harry.

Guest Harry Johnston [MVP]
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

Paul (Bornival) wrote:

> Any idea why ZA assumed those changes were due to malware infection.

 

I would guess it simply assumed that /any/ change to the network stack must be

due to malware. The real answer may be more complex than this, but only the

developers could provide it.

 

Harry.

Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

Microsoft patch knocks some ZoneAlarm users offline:

**Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm**

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108298

 

-jen

 

"Paul (Bornival)" <PaulBornival@discussions.microsoft.com> wrote in

message news:7C0F355E-FB21-4DAD-BB25-860799FE8FEA@microsoft.com...

> nOh, thank you.

> Any idea why ZA assumed those changes were due to malware infection.

> I like

> to know the details sice, after all, software is not "magic" but

> somethig

> made by a human (and therefore, intelligible by another human) to be

> used by

> a machine (and not the opposite).

> Paul.

>

> "Harry Johnston [MVP]" wrote:

>

>> Paul (Bornival) wrote:

>>

>> > Thank you for your reply. I checked these forums but could not

>> > find

>> > specific information. Do you know which files were modified and

>> > why ZA could

>> > not cope with them ?

>>

>> The Microsoft KB article describes the files that the update

>> replaces:

>>

>> http://support.microsoft.com/kb/951748

>>

>> <http://support.microsoft.com/kb/951748>

>>

>> I haven't confirmed this myself, but my understanding is that ZA

>> assumed that

>> the changes were due to malware infection and refused to use the

>> files.

>>

>> Harry.

>>

Guest Harry Johnston [MVP]
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

jen wrote:

> Microsoft patch knocks some ZoneAlarm users offline:

> **Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm**

> http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108298

 

Thanks. This description doesn't gibe completely with some of the reported

behaviour (in particular the claim that reinstalling ZoneAlarm fixed the issues)

but perhaps the reports were confused.

 

Be that as it may, the only situation I see where Microsoft could rightly be

blamed is if Zone Alarm had asked to receive pre-release versions of updates for

testing and Microsoft had refused. Microsoft can't reasonably be expected to

bear the cost of testing third-party products with new updates (particularly

those using undocumented techniques to pervert the functioning of the operating

system) but they should of course be cooperative with reputable third-party vendors.

 

Harry.

Guest Kayman
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Mon, 21 Jul 2008 14:20:08 -0300, John John (MVP) wrote:

> Kayman wrote:

>> On Mon, 21 Jul 2008 09:14:31 -0300, John John (MVP) wrote:

>>

>>

>>>Kayman wrote:

>>>

>>>

>>>>Fact:

>>>>The only reasonable way to deal with malware is to prevent it from being

>>>>run in the first place. That's what AV software or Windows' System

>>>>Restriction Policies are doing. And what 3rd party Personal (so-called)

>>>>Firewalls fail to do!

>>>>

>>>>John John (MVP), would you please educate and inform yourself by studying

>>>>publications not associated with any COMMERCIAL influence. Additionally,

>>>>the authors of these publications can be contacted....why don't you bite

>>>>the bullet and do so? It'll brighten your horizon and you could pass on

>>>>your newly acquired knowledge to this and other newsgroups.

>>>

>>>Only a fool...

>>

>>

>> You just can't help yourself, can you.

>> Name calling does not hide your immaturity.

>>

>>

>>>...would claim that proper egress control has no place in network security.

>>

>>

>> Where precisely did I claim that?

>>

>>

>>>Even the experts at Microsoft advise users to protect their data with

>>>egress control.

>>

>>

>> Which 3rd party personal (so-called) firewall is MSFT recommending?

>> Where are links, URL's, publications?

>>

>>

>>>You, of course, also know better than the folks at Microsoft.

>>

>>

>> Your assumption is nothing but an assumption (you've got to replace that

>> crystal ball). And who in particular from MSFT are you referring to? I'd be

>> genuinely interested to read their write-ups. If you're referring to the

>> authors already mentioned in this thread, please point me to their

>> publication(s) which state that 3rd party personal (so-called) firewall is

>> an effective tool for controlling egress traffic.

>> It seems you either totally not understanding my point or deliberately

>> evading the issue!

>> MSFT knows exactly well that outbound application protection is an

>> illusion, which is why they don't offer such a (phony-baloney) thing.

>> Unlike you, they understand the nature of their operating system, and are

>> even honest enough to admit that outbound control is way too unreliable.

>> Even commercial enterprises like Sunbelt, makers of Kerio and Steve Gibson

>> of Gibson Research Corporation have finally conceded this fact!

>> Now don't change directions here and twist this straightforward post into a

>> convoluted psychedelic drivel.

>> John John (MVP), WHERE IS THE BEEF? SHOW US THE MONEY! PUT UP OR SHUT UP!

>

> You constantly shift the discussion from the value of proper egress

> filtering to software firewalls, even though I have said right from the

> start that egress filtering at the firewall can be foiled and that users

> should consider better methods. So get it in your thick skull, egress

> filtering at a perimeter appliance is a sound security measure, even the

> folks at Microsoft will tell you this:

> http://msdn.microsoft.com/en-us/library/aa302431.aspx

>

> Now maybe you should read what is says there and get a grip on yourself,

> you don't know all that there is to know about network security and data

> protection! Quite frankly you should not be one to speak of drivel, you

> spew enough of it yourself! If you are really too stupid to recognize

> the purpose and usefulness of egress traffic control then you are indeed

> lacking in the basics of network and data security!

>

 

This thread is about what the original heading suggests; It later graduated

to security issues in relation to 3rd party personal (so-called) firewalls.

 

I reiterate, this thread is about 3rd party personal (so-called)

firewall(s)! My posts and responses were composed accordingly!

 

If anybody is running around like a headless chicken it is you.

 

The sole purpose for snipping my posts so cleverly is to save your face; It

enables you to take my responses out of context which is a sorry attempt

for trying to re-establish your credibility!

 

After reading my posts in their *UNCUT* version, anybody with average

reading skills and moderate level of comprehension see through your 'game'.

 

John John (MVP), After you've wiped the tons of eggs from your face, I

suggest you never ever touch that subject again, change your name, sell

your house and migrate to Andorra or Lesotho then join a yacht club and

teach sailing.

 

I am done with you.

Guest Kayman
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Mon, 21 Jul 2008 17:19:54 -0700, Anthony Buckland wrote:

> "Kayman" <kaymanDeleteThis@operamail.com> wrote in message

> news:e1JqD046IHA.4864@TK2MSFTNGP06.phx.gbl...

>> On Mon, 21 Jul 2008 09:22:07 -0700, Paul (Bornival) wrote:

>> ...

>> Don't know (can't locate) any technical reasons re incompatiblity. My

>> guess

>> is that ZA just did not realize the impact KB951748 would have to their

>> software. For the ZA users, this actually would be an interesting question

>> to ask in their forum.

>

> Believe me, it's been all over the ZoneAlarm forum. The first thing

> you see now when you enter the forum is a

>

> G R E A T B I G W A R N I N G

>

> about the situation and its fix.

 

Okay, okay, okay; I believe you! I have no reasons for visiting that

particular forum. What have/had the *moderators* (not the posters) to say

in relations to the DNS issue?

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Mon, 21 Jul 2008 23:48:44 -0400, "jen" <jen@example.com> wrote:

>Microsoft patch knocks some ZoneAlarm users offline:

>**Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm**

>http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108298

 

<quote>

The quickest way to regain Internet access, said the company, is to

uninstall the security update tagged as KB951748 using Windows' Add or

Remove Programs utility. Alternately, users could tweak ZoneAlarm's

firewall settings or reduce the security level of the machine.

<end-quote>

 

How responsible.....

 

 

<quote>

"We filter network traffic at the kernel, where malware can't avoid

us," said James Grant, a ZoneAlarm team lead. "If you filter traffic

in user mode, malware can see what we're doing."

<end-quote>

 

Yearh, right. As if malware wouldn't compromise the kernel as well....

 

 

<quote>

The problem notwithstanding, she defended kernel hooking. "It's

undocumented, but it's in widespread use. Every major security vendor

makes use of it," said Yecies.

<end-quote>

 

So does any serious malware writer....

 

 

<quote>

"This isn't about finger-pointing," said Yecies, when asked which

company was responsible for the snafu, ZoneAlarm or Microsoft. When

pressed, however, she acknowledged that Microsoft should have caught

the problem before issuing its security update.

<end-quote>

 

Yearh, right. "Don't make changes to your kernel without making sure

we didn't mess with it.".....

Guest Kerry Brown
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

> At this point some versions of Zone Alarm barfed. I don't use Zone Alarm

> so the rest of the story I gleaned from reading Zone Alarm forums and

> official announcements. The Zone Alarm application noticed that some

> Windows files had changed and decided not to allow these files to

> communicate to the Internet. It wasn't anything in the way the files

> worked, merely that they had changed, that caused the problem. Because

> these are system files Zone Alarm doesn't ask about them. Clearing the

> Zone Alarm database so that it would not think the files were changed

> fixed the problem. How is an OS supposed to update itself if it can't

> change files? The way that Zone Alarm monitors and responds to system file

> changes is flawed.

 

 

It looks like this may not be quite the whole story. There are conflicting

reports about exactly what caused Zone Alarm to barf. Some stories say it

was Zone Alarm's heuristics causing the problem. Others say the update broke

the way Zone Alarm uses unsupported methods to hack the kernel. Zone Alarm

hasn't commented officially that I can find. It doesn't really change

anything. It's merely a technical point of interest. The fault lays with

Zone Alarm if either reason is the cause.

 

--

Kerry Brown

MS-MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

http://vistahelpca.blogspot.com/

Guest Harry Johnston [MVP]
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

Root Kit wrote:

> <quote>

> "We filter network traffic at the kernel, where malware can't avoid

> us," said James Grant, a ZoneAlarm team lead. "If you filter traffic

> in user mode, malware can see what we're doing."

> <end-quote>

>

> Yearh, right. As if malware wouldn't compromise the kernel as well....

 

Well ... if the user isn't an administrator, it won't. But what it *can* do is

hook itself into a program that's already allowed access, like your web browser.

 

Harry.

Guest Root Kit
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Wed, 23 Jul 2008 11:40:05 +1200, "Harry Johnston [MVP]"

<harry@scms.waikato.ac.nz> wrote:

>Root Kit wrote:

>

>> <quote>

>> "We filter network traffic at the kernel, where malware can't avoid

>> us," said James Grant, a ZoneAlarm team lead. "If you filter traffic

>> in user mode, malware can see what we're doing."

>> <end-quote>

>>

>> Yearh, right. As if malware wouldn't compromise the kernel as well....

>

>Well ... if the user isn't an administrator, it won't.

 

That's correct. Unless the firewall is so badly designed it allows the

malware to exploit it to gain SYSTEM credentials, that is.

 

But unfortunately running as administrator is what the vast majority

of windows users do.

Guest Kayman
Posted

Re: FIX for ZoneAlarm & KB951748 issue released

 

On Wed, 23 Jul 2008 07:28:16 GMT, Root Kit wrote:

> On Wed, 23 Jul 2008 11:40:05 +1200, "Harry Johnston [MVP]"

> <harry@scms.waikato.ac.nz> wrote:

>

>>Root Kit wrote:

>>

>>> <quote>

>>> "We filter network traffic at the kernel, where malware can't avoid

>>> us," said James Grant, a ZoneAlarm team lead. "If you filter traffic

>>> in user mode, malware can see what we're doing."

>>> <end-quote>

>>>

>>> Yearh, right. As if malware wouldn't compromise the kernel as well....

>>

>>Well ... if the user isn't an administrator, it won't.

>

> That's correct. Unless the firewall is so badly designed it allows the

> malware to exploit it to gain SYSTEM credentials, that is.

>

> But unfortunately running as administrator is what the vast majority

> of windows users do.

 

That is sadly true!

A timely reminder and friendly advice for all the lurkers out there running

on WinXP, please take notice :-)

The most dependable defenses are:

1. Do not work as Administrator; For day-to-day work routinely use a

Limited User Account (LUA).

2. Secure (Harden) your operating system.

3. Don't expose services to public networks.

4. Keep your operating (OS) system (and all software on it)updated/patched.

(Got SP3 yet?).

5. Reconsider the usage of IE and OE.

5a.Secure (Harden) Internet Explorer.

6. Review your installed 3rd party software applications/utilities; Remove

clutter, *including* 3rd party software personal (so-called) firewall

application (PFW) - the one which claims: "It can stop/control malicious

outbound traffic".

7. If on dial-up Internet connection, activate the build-in firewall and

configure Windows not to use TCP/IP as transport protocol for NetBIOS,

SMB and RPC, thus leaving TCP/UDP ports 135,137-139 and 445 (the most

exploited Windows networking weak point) closed.

7a.If on high-speed Internet connection use a router.

For the average homeuser it is suggested blocking both TCP and UDP ports

135 ~ 139 and 445 on the router and implement countermeasures against

DNSChanger.

8. Routinely practice Safe-Hex.

 

Also, ensure you do:

a. Regularly back-up data/files.

b. Familiarize yourself with crash recovery tools and re-installing your

operating system (OS).

b. Utilize a good-quality real-time anti-virus application and some vital

system monitoring utilities/applications.

c. Keep abreast of the latest developments.

 

And finally:

Most computer magazines and/or (computer) specialized websites are *biased*

i.e. heavely weighted towards the (advertisement) dollar almighty!

Therefore:

a. Don't fall for software applications touted in publications relying on

advertisement revenue.

b. Do take their *test-results* of various software with a *considerable*

amount of salt...!

c. ...Which also applies to their *investigative* test reports related to

any software applications.

d. Investigate claims made by software manufacturer *prior* downloading

their software; Specialized Newsgroups and/or Fora are a great way to

find out the 'nitty-gritties'.

 

Wanna know details? Go ahead and ask :-)

 

--

Security is a process not a product.

(Bruce Schneier)

×
×
  • Create New...