BugTraq
Back to list
|
Post reply
Re: [sec-labs] Zone Alarm Device Driver vulnerability
Aug 07 2003 02:27AM
Corey Bridges (cbridges zonelabs com)
In-Reply-To: <20030804214610.5a04e2e8.noreply (at) sec-labs.hack (dot) pl [email concealed]>
Following is the official Zone Labs response to this report by Lord YuP.
Corey Bridges
Chief Editor of E-Communities
Zone Labs, Inc.
(v) 415.341.8355
(f) 415.341.8299
***
Zone Labs response to Device Driver Attack
OVERVIEW: This vulnerability describes a way to send unauthorized
commands to a Zone Labs device driver and potentially cause unexpected
behavior. This proof-of-concept exploit represents a relatively low risk
to Zone Labs users. It is a ?secondary? exploit that requires physical
access to a machine or circumvention of other security measures included
in Zone Labs consumer and enterprise products to exploit. We are working
on a fix and will release it within 10 days.
EXPLOIT: The demonstration code is a proof-of-concept example that
describes a potential attack against the Zone Labs device driver that is
part of the TrueVector client security engine. In the exploit, a malicious
application sends unauthorized commands to this device driver. The author
also claims that this could potentially compromise system security. While
we have verified that unauthorized commands could be sent to the device
driver, we have not been able to verify that this exploit can actually
affect system security. The code sample published was intentionally
incomplete, to prevent malicious hackers from using it.
RISK: We believe that the immediate risk to users from this exploit is
low, for several reasons: this is a secondary attack, not a primary
vulnerability created or allowed by our product. Successful exploitation
of this vulnerability would require bypassing several other layers of
protection in our products, including the stealth firewall and/or MailSafe
email protection. To our knowledge, there are no examples of malicious
software exploiting this vulnerability. Further, the code sample was
written specifically to attack ZoneAlarm 3.1, an older version of our
software.
SOLUTION: Security for our users is our first concern, and we take reports
of this kind seriously. We will be updating our products to address this
issue by further strengthening protection for our device driver and will
make these updates available in the next 10 days. Registered users who
have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus,
or ZoneAlarm Pro are informed by the software automatically whenever a new
software update is released. Zone Labs will provide guidance to Integrity
administrators regarding updating their client software.
CONTACT: Zone Labs customers who are concerned about the proof-of-concept
Device Driver Attack or have additional technical questions may reach our
Technical Support group at:
http://www.zonelabs.com/store/content/support/support.jsp
ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this
issue to our attention. However, we would prefer to be contacted at
security (at) zonelabs (dot) com [email concealed] prior to publication, in order to allow us to
address any security issues up front.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Following is the official Zone Labs response to this report by Lord YuP.
Corey Bridges
Chief Editor of E-Communities
Zone Labs, Inc.
(v) 415.341.8355
(f) 415.341.8299
***
Zone Labs response to Device Driver Attack
OVERVIEW: This vulnerability describes a way to send unauthorized
commands to a Zone Labs device driver and potentially cause unexpected
behavior. This proof-of-concept exploit represents a relatively low risk
to Zone Labs users. It is a ?secondary? exploit that requires physical
access to a machine or circumvention of other security measures included
in Zone Labs consumer and enterprise products to exploit. We are working
on a fix and will release it within 10 days.
EXPLOIT: The demonstration code is a proof-of-concept example that
describes a potential attack against the Zone Labs device driver that is
part of the TrueVector client security engine. In the exploit, a malicious
application sends unauthorized commands to this device driver. The author
also claims that this could potentially compromise system security. While
we have verified that unauthorized commands could be sent to the device
driver, we have not been able to verify that this exploit can actually
affect system security. The code sample published was intentionally
incomplete, to prevent malicious hackers from using it.
RISK: We believe that the immediate risk to users from this exploit is
low, for several reasons: this is a secondary attack, not a primary
vulnerability created or allowed by our product. Successful exploitation
of this vulnerability would require bypassing several other layers of
protection in our products, including the stealth firewall and/or MailSafe
email protection. To our knowledge, there are no examples of malicious
software exploiting this vulnerability. Further, the code sample was
written specifically to attack ZoneAlarm 3.1, an older version of our
software.
SOLUTION: Security for our users is our first concern, and we take reports
of this kind seriously. We will be updating our products to address this
issue by further strengthening protection for our device driver and will
make these updates available in the next 10 days. Registered users who
have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus,
or ZoneAlarm Pro are informed by the software automatically whenever a new
software update is released. Zone Labs will provide guidance to Integrity
administrators regarding updating their client software.
CONTACT: Zone Labs customers who are concerned about the proof-of-concept
Device Driver Attack or have additional technical questions may reach our
Technical Support group at:
http://www.zonelabs.com/store/content/support/support.jsp
ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this
issue to our attention. However, we would prefer to be contacted at
security (at) zonelabs (dot) com [email concealed] prior to publication, in order to allow us to
address any security issues up front.
[ reply ]