[14124] in bugtraq
Re: Zonealarm exports sensitive data
daemon@ATHENA.MIT.EDU (Dino Amato)
Wed Mar 1 20:43:08 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <002501bf8377$e3134120$050000c1@ss810>
Date: Wed, 1 Mar 2000 07:15:50 -0500
Reply-To: Dino Amato <slayer67@APK.NET>
From: Dino Amato <slayer67@APK.NET>
X-To: "Lampe, John W." <JWLAMPE@GAPAC.COM>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
in version 1.96 they have fixed this they said so that loggin is disabled by
default.
From release notes.
RELEASE 1.9.6 (this release)
. Issue: ICEcap reporting can be inadvertently turned on without user
user knowledge.
Resolution: Fixed. ICEcap reporting has been disabled on this
release. The entries inadvertently added in blackice.ini are
automatically removed by this version of BlackICE.
----- Original Message -----
From: Lampe, John W. <JWLAMPE@GAPAC.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, February 28, 2000 1:30 PM
Subject: Re: Zonealarm exports sensitive data
> Actually blackICE defender version 1.8.2.6 does not send anything
> "sensitive" in nature. What I captured was such:
> 1) 3 way handshake
> 2) GET http://advice.networkice.com/advice/Intrusions/<number>
> 3) Error 302 ("Object Moved")
> Location: <same as above but add "/" after <number> >
> 4) GET http://advice.networkice.com/advice/Intrusions/<number>/
> 5) page is sent.
>
> Can you tell me which version you're running?
>
> John Lampe
>
> ----------
> From: Brett Glass[SMTP:brett@LARIAT.ORG]
> Reply To: Brett Glass
> Sent: Friday, February 25, 2000 8:17 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: Zonealarm exports sensitive data
>
> It should be noted that BlackICE Defender, a competitive product,
> does precisely the same thing if one clicks on the "AdvICE" button.
> Since the attack information displayed by the program's graphical
> interface is quite brief (there's more in the log files, but
> only sophisticated users will know how to find and read them),
> users are strongly motivated to click the button.
>
> I do not know whether the URLs sent by either product are being
> used to gather statistics on the frequency of attacks or as a
> means of piracy detection. They certainly could be, if the vendors
> had a mind to do so.
>
> --Brett Glass
>
> At 12:40 AM 2/25/2000 , Andrew Daviel wrote:
>
> >ZoneAlarm by zonelabs.com can export possibly sensitive data if
> >the "More Info" button is clicked from an alert.
> >
> >ZoneAlarm is a personal dynamic firewall for Windows 9x/NT.
> >When a rule is triggered (typically an inbound connection to
> >an unregistered or alarmed service) an alert box appears with a brief
> >description of the event and a button labelled "More Info". When this
> >is clicked a URL is passed to the user's Web browser sending information
> >to Zone Labs' server for more detailed explanation.
> >
> >Currently (version 2.0.26) the information passed includes:
> >Source Address and Port
> >Destination Address and Port
> >Operating system version
> >Firewall version
> >Whether the connection was blocked
> >The lock status of the firewall
> >
> >All this information is sent in clear as an HTTP GET request (port 80).
> >
> >It could possibly be seen on the Internet in transit or in proxy logs,
and
> >may include information about machines on an internal network inside a
> >corporate firewall. The request itself could be blocked by ZoneAlarm, but
> >it is likely that the setting for the Web browser would allow it to
access
> >the external network (Internet).
> >
> >It is fairly simple to edit the .EXE file to disable this feature, or
> >to redirect it to a local server.
> >
> >(IMO the benefits from using the product outweigh the risks of this data
> >leak....)
> >
> >Andrew Daviel
> >Vancouver Webpages etc.
>
>
>
> Thanks,
>
> John Lampe
>
