[18381] in bugtraq
Re: Advisory:Multiple Vulnerabilities in ZoneAlarm
daemon@ATHENA.MIT.EDU (bacano)
Tue Jan 2 12:46:30 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <002101c0726e$81726220$9b0a16c3@piii550>
Date: Sat, 30 Dec 2000 14:40:46 -0000
Reply-To: bacano <bacano@ESOTERICA.PT>
From: bacano <bacano@ESOTERICA.PT>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi2all
The original post of this supposed vulnerabilities didn't give me any
concern since the tiny window here was a little more tiny as the one
reported (no DSL or cable, no win2k or NT), but after it I went to some
tests.
So far, since no othter kind of attack was made (yet?), i can say that scans
on port 1080 (tcp) are not detected. I don't have any wingate (or whatever)
running, but many home users that are using ZoneAlarm, or ZoneAlarmPro
(tested version), may have one. Even if they are not vulnerable, they are
loosing the chance to detect, log and report some attacks. Since attacks on
1080 are a very well known realitty, even if there isn't a chance for a
success of the attacker, this should be logged and reported to the proper
authorities. Users (only) using ZoneAlarm or ZoneAlarm Pro can't do so, then
i suppose there is a(some) real problem(s) here.
Just a note, i didn't 'test myself' using other box, i did put a box
connected on some wild places to see what may happend. A trully lame version
of the Honeypot project i must say, but for the propose it worked =;o)
[12/29/2000 22:07:03.830 GMT] Connection: xxxxx.xxxxx.xx (xxx.xxx.xxx.xxx)
on port 1080 (tcp).
[12/29/2000 22:07:03.830 GMT] Disconnect: xxxxx.xxxxx.xx (xxx.xxx.xxx.xxx)
on port 1080 (tcp).
[12/29/2000 22:07:03.830 GMT] Port 1080 (tcp) is now disabled for 60
seconds.
(from 'oldie' nukebabber, after traffic from untrusted host was detected and
ZoneAlarm shutdown)
[ ]'s bacano
----- Original Message -----
From: "Stephen M. Milton" <milton@ISOMEDIA.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Wednesday, December 27, 2000 6:30 PM
Subject: Re: Advisory:Multiple Vulnerabilities in ZoneAlarm
> > Whereas I agree it would be desirable for ZoneLabs to fix any notified
> > vulnerabilities, I share the view that in terms of RISK the issue is of
> > limited importance until an exploit can be devised that can take
advantage
> > of the theoretical weakness.
>
> This is a terrible idea. The concept that a bug should not be fixed until
> AFTER an exploit has been found and demonstrated is ludicrous. Security
> bugs are especially important to fix BEFORE the exploit has been created.
>
> 2cents.
>
> Stephen Milton
> Vice President
> ISOMEDIA, Inc.
>
