ZoneAlarm pros and cons

[Syn_Flood]

Heres another con - Zonealarm Security Suite doesn't let me end ANY processes, and vsmon.exe takes up half my cpu on 1.8ghz machine.

It should be noted that these problems are NOT due to configuration errors.

[Syn_Flood]

  PseudoRandomDragon said:

ZoneAlarm Random UDP Flood Denial Of Service Vulnerability (Vulnerabilities)

ZoneLabs basically said it was all bullcrap.

And one of the top security websites says it wasn't, and offers code to exploit it.

What, you think a software security firm would reveal that their flagship security product can be bypassed by sending random packets? Tsk, tsk. :no: Think again.

[PseudoRandomDragon]

ZoneLabs basically said that system resources go up slightly during the test and stop logging alerts, but that is it. The most it will do is clog the internet connection. I even tested it against myself. Same results. If you are willing to search, ZoneLabs made a statement.

[PseudoRandomDragon]

Wait, what was I thinking! Of course you aren't willing to search. Well, here ya go:

http://www.securityfocus.com/archive/1/336...31/2003-09-06/2

  Quote

ZONE LABS SECURITY ADVISORY

DENIAL OF SERVICE REPORT

OVERVIEW

Zone Labs has found no evidence that, under real-world conditions, its

products are vulnerable to the Denial of Service attack described by

HackologyTeam yahoo com at the BugTraq site and mailing list. There is

also no evidence that Zone Labs products are vulnerable to the similar

attack described by sprog online ru in the follow-up post to BugTraq.

Date Published: September 3, 2003

EFFECT ON ZONE LABS USERS

Little or none.

ZONE LABS PRODUCTS

Zone Labs tests do not show that computers employing Zone Labs Integrity?,

ZoneAlarm? Pro, ZoneAlarm Plus, and ZoneAlarm security products are

vulnerable to this attack in real-world situations.

DESCRIPTION

This Denial of Service (DoS) attempt sends a barrage of UDP packets to a

PC protected with ZoneAlarm 3.7 or ZoneAlarm Pro 4.0.The vulnerability

reporter claims that this packet flood causes the target PC to hang. Zone

Labs' testing did NOT show this under real-world conditions (described

below).> In the vulnerability report, the attacker included the Perl script

to launch the attack. Other important information, such as type of PC and

connection speed, was not specified.

IMPACT

Because the initial report lacked important information, Zone Labs tested

the Perl script on multiple PCs with a variety of network speeds. We were

unable to replicate the results the testers claim. We noted the following

results:

1) While we have seen a somewhat higher CPU usage and related slow-down on

the target machine, we have not seen anything resembling a DoS attack. The

largest slowdown occurred on a direct computer-to-computer 100-MBit

network. Even in that setup, we never observed a complete freeze under any

conditions. (Nor were other methods of UDP flooding effective.) For a 

real-world DoS attack to succeed, it would need to be effective at much

slower connection speeds more typical for Internet connections (for

example, 1.5-MBit for a T1 or DSL connection).

2) Zone Labs Integrity, ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro were

not disabled as a result of the attacks, and the security of the test

machines was never compromised by the attempted DoS attack. Once the

attempted attacks stopped, the CPU usage went down to normal levels

immediately. >

RECOMMENDED ACTIONS

Install any Zone Labs product to protect against UDP-flood attacks. Zone

Labs' tests did not show a Denial of Service result. We will be addressing

the relatively minor performance issues in upcoming releases. Note that in

the typical definition of a Denial of Service attack, the target is a

server PC (whose service is thus denied). ZoneAlarm, ZoneAlarm Plus, and

ZoneAlarm Pro are not designed to protect server platforms. The following

supported platform list applies to Zone Labs products:

http://www.zonelabs.com/store/content/supp...AQ.jsp#9general

RELATED RESOURCES

BugTraq posting: http://www.securityfocus.com/archive/1/335830/2003-08-

30/2003-09-05/0

CREDITS

This report first appeared on the BugTraq vulnerability list. Zone Labs

adheres to the vulnerability disclosure guidelines found at

http://www.wiretrip.net/rfp/policy.html. These guidelines specify

informing a vendor before public disclosure of a possible vulnerability,

so a security fix may be created to protect users before malicious

software takes advantage of the exploit. We encourage all vulnerability

reporters to follow the same procedure. To report a vulnerability, please

send an email to security zonelabs com

CONTACT

Zone Labs customers who are concerned about this issue or have additional

technical questions may reach our Technical Support group at:

http://www.zonelabs.com/store/content/support/support.jsp.

COPYRIGHT © 2003 by Zone Labs Incorporated

Permission to redistribute this alert electronically is granted as long as

it is not edited in any way unless authorized by Zone Labs. Reprinting the

whole or part of this alert in any medium other than electronically

requires permission from Zone Labs.

>

>

>

># Overview :

>#

># ZoneAlarm is a firewall software

># package designed for Microsoft Windows

># operating systems that blocks intrusion

># attempts, trusted by millions, and has

># advanced privacy features like worms,

># Trojan horses, and spyware protection.

># ZoneAlarm is distributed and maintained

># by Zone Labs.http://www.zonelabs.com

>#

># Details :

>#

># ZoneAlarm was found vulnerable to a

># serious vulnerability leading to a

># remote Denial Of Service condition due

># to failure to handle udp random

># packets, if an attacker sends multiple

># udp packets to multiple ports 0-65000,

># the machine will hang up until the

># attacker stop flooding.

[blik]

  Quote

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>

Surely it would have been removed by now if it wasnt really vulnerable??

[Syn_Flood]

  PseudoRandomDragon said:

Wait, what was I thinking! Of course you aren't willing to search. Well, here ya go:

http://www.securityfocus.com/archive/1/336...31/2003-09-06/2

Well, you're not willing to read, are you? The URL you linked to is just an html-published forum reply. And guess who the author is? ZONE LABS.

So we're back to the obvious statement. Zone Labs would never admit that there was a huge hole in their flagship product, and that it could be exploited by sending random packets.

Also, note the statement under the "credits" section. They're complaining because SecurityFocus published this exploit before informing Zone Labs. Why would they complain about this if the point was moot?

Try again. :no:

[PseudoRandomDragon]

Um, I tested it myself. And yes ZoneLabs would admit it, because they did admit the SMTP vulnerability.

ZoneLabs, along with any other security company, wants to be the first informed of possible vulnerabilites because if the vulnerability were real, their customers would be at risk. Fortunately, it wasn't.

You ZoneAlarm bashers are so silly.

Edited May 13, 2004 by PseudoRandomDragon

[SimplyPotatoes]

i love you pseudorandomdragon

[stncttr908 Veteran]

You forgot to add "If you forget to configure a game with it before you play it then you won't be able to get back to your desktop to click the ****ing 'allow access' button so you have to hard reset your computer or try in some other way to restart it" to the cons. :rolleyes:

[Fred Derf Veteran]

Zone Alarm is only for techies. Not techie people just end up clicking yes to everything to make the popups go away.

[PseudoRandomDragon]

A valid complaint stncttr, that popup is annoying. Same with the privacy advisor. It wouldn't be so bad except it causes your computer to switch focus to the popup, so that causes the game to mimimize or mess up.

I recommend configuring the firewall beforehand, otherwise it is going to get in your way.

[NeoSigma]

  stncttr908 said:

You forgot to add "If you forget to configure a game with it before you play it then you won't be able to get back to your desktop to click the ****ing 'allow access' button so you have to hard reset your computer or try in some other way to restart it" to the cons. :rolleyes:

Alt-Tab? :huh:

Works for me atleast. :happy:

[stncttr908 Veteran]

  PseudoRandomDragon said:

I recommend configuring the firewall beforehand, otherwise it is going to get in your way.

I usually do, but sometimes when I get that brand new game in my hands I get rather forgetful. :D

  Quote

Alt-Tab? :huh:

It doesn't always work. :(

[FiREFLi]

  PseudoRandomDragon said:

Can't open ports for the free version.

thanks for info. is there a free firewall that does allow you to open specific ports?

[Syn_Flood]

  fr3ak said:

thanks for info. is there a free firewall that does allow you to open specific ports?

iptables? :p

[Syn_Flood]

  fred666 said:

Zone Alarm is only for techies. Not techie people just end up clicking yes to everything to make the popups go away.

You must be a tad confused. Zonealarm is not for techies. Any moron can use it. A Cisco PIX firewall is for techies.

[Master Of Puppets]

I use ZoneAlarm Pro. (cant share my way of getting it) Its great. BUT when ya are gaming and an access request pops up it either minimizes your game screen or exits it. (with 2K Pro and XP SP1)

Edited May 13, 2004 by Master Of Puppets

[rumbleph1$h]

  Master Of Puppets said:

Who the hell buys things anymore? You download the free of ZoneAlarm and then get a serial from Kazaa for Pro. Thats what I did.

Read the rules buddy:

  Quote

No Warez (links) & Cracks: help, requests or posts that discuss circumvention. This includes linking to software, posting about it, and suggesting to get it.

[Master Of Puppets]

n00b mistake. :blush: Modified.

[Fred Derf Veteran]

  Syn_Flood said:

You must be a tad confused. Zonealarm is not for techies. Any moron can use it. A Cisco PIX firewall is for techies.

You must have never installed ZoneAlarm for somebody else. I tell them if you don't know what is asking for the internet, just say no. But they never do. I go back a month later and all this crap is in their allow list.

[PseudoRandomDragon]

ZoneAlarm Pro can be difficult and easy at the same time. I can configure it in 5min and most people only need to know what is in program control and privacy settings. However, real newbies don't have common sense, a big disadvantage. There is also a lot of extra stuff you can tinker with. Open process control, expert rules, etc.