FIX for ZoneAlarm & KB951748 issue released

[Root Kit]

The point to be made is that before XP was released third party firewall
products were the only alternative to hardware firewalls

That's not entirely true. You are missing the obvious (and in fact
most secure) alternative of shutting down the unneeded network
services (which should of course have been the windows default
setting). I used to run a W2K machine with a direct Internet
connection without any inbound "protection" at all and without
problems for several years. And to be honest, still today I wouldn't
loose any sleep over operating a hardened W2K client machine directly
on the net.

These were trusted applications from trusted companies.

I guess that's an opinion open for debate.

Then, overnight, just because Windows XP was released, in the eyes of a
zealous few these companies became villains peddling worthless products!

That's also not true. They were highly criticized among specialists
already before that. It's just hard to get through the marketing
noise.

A couple of individuals decided to tar and feather a whole ISV group with the same
wide brush! That is wrong, absolutely wrong, and the attack on some of
those ISVs is completely unwarranted, those ISVs were trusted companies
the day before XP hit the market and they were no less trustworthy the
day after XP was released. Much of the hype against those ISVs is
nothing more than blind zealotry!

I think it's absolutely fair that some people stand up against the
obvious hype and in cases utter nonsense that the marketing
departments of these companies were and are still using to fool less
knowledgeable users into buying their products. I find it a bit
worrying that an MVP does not have the technical insight to see
through the smoke.

I've asked this before without getting any responses: Why are there no
web pages with listings of personal firewall software available for
Linux? Well, don't bother. I already know the answer.

Please understand that I'm not in any way trying to "defend" MS. I
fully recognize that windows has it's serious security flaws. But when
claiming that it can be made more secure by adding further highly
questionable code to it, one has stepped away from technical sense and
into emotional reasoning - often backed by non-applicable analogies.

There is also a developing and troubling trend in this whole debate, one
that some people are bent on spreading at all costs, that because
software firewalls are not immune to exploits by malware attempting to
send data to outside networks, then by simple deduction any and all
egress filtering as a security concept is unnecessary.

Who is that? - I for sure have not been spreading that thought.

Egress filtering at the perimeter, done by reliable network appliances, is a vital part
of network security,

Agreed.

 

[Root Kit]

Yes, as I had mentioned many times previously - *Prior NT*!

In fact even the windows 9x platform usually didn't need any packet
filtering. You'd just have to unbind any network service from your
network interface that you didn't want.

 

[John John (MVP)]

Fact:
The only reasonable way to deal with malware is to prevent it from being
run in the first place. That's what AV software or Windows' System
Restriction Policies are doing. And what 3rd party Personal (so-called)
Firewalls fail to do!

John John (MVP), would you please educate and inform yourself by studying
publications not associated with any COMMERCIAL influence. Additionally,
the authors of these publications can be contacted....why don't you bite
the bullet and do so? It'll brighten your horizon and you could pass on
your newly acquired knowledge to this and other newsgroups.

Only a fool would claim that proper egress control has no place in
network security. Even the experts at Microsoft advise users to protect
their data with egress control. You, of course, also know better than
the folks at Microsoft.

John

 

[Root Kit]

Only a fool would claim that proper egress control has no place in
network security. Even the experts at Microsoft advise users to protect
their data with egress control.

Beside of the fact that "Only a fool would claim..." marks the
beginning of a non-argument - who are you addressing here? I don't
recall anyone making the claim you're stating.

 

[Kayman]

Only a fool...

You just can't help yourself, can you.
Name calling does not hide your immaturity.

...would claim that proper egress control has no place in network security.

Where precisely did I claim that?

Even the experts at Microsoft advise users to protect their data with
egress control.

Which 3rd party personal (so-called) firewall is MSFT recommending?
Where are links, URL's, publications?

You, of course, also know better than the folks at Microsoft.

Your assumption is nothing but an assumption (you've got to replace that
crystal ball). And who in particular from MSFT are you referring to? I'd be
genuinely interested to read their write-ups. If you're referring to the
authors already mentioned in this thread, please point me to their
publication(s) which state that 3rd party personal (so-called) firewall is
an effective tool for controlling egress traffic.
It seems you either totally not understanding my point or deliberately
evading the issue!
MSFT knows exactly well that outbound application protection is an
illusion, which is why they don't offer such a (phony-baloney) thing.
Unlike you, they understand the nature of their operating system, and are
even honest enough to admit that outbound control is way too unreliable.
Even commercial enterprises like Sunbelt, makers of Kerio and Steve Gibson
of Gibson Research Corporation have finally conceded this fact!
Now don't change directions here and twist this straightforward post into a
convoluted psychedelic drivel.
John John (MVP), WHERE IS THE BEEF? SHOW US THE MONEY! PUT UP OR SHUT UP!

 

[Paul (Bornival)]

Informative reading:

Dan Kaminsky Discovers Fundamental Issue In DNS: ...

Thank you. But I have actually read all those documents. What I was
interested in was to understand the technical (ral) reason for the
incompatibility of ZA with KB951748.

 

[Paul (Bornival)]

I believe there is some information on the ZoneAlarm forums, and there's been a
fair bit of discussion in microsoft.public.windowsupdate.

The quick summary, as I understand it, is that ZoneAlarm couldn't cope with the
fact that the update modified some of the system files associated with internet
access. It wasn't anything specific about the way they were changed, simply the
fact that they had changed.

Harry.

Thank you for your reply. I checked these forums but could not find
specific information. Do you know which files were modified and why ZA could
not cope with them ?

 

[John John (MVP)]

You just can't help yourself, can you.
Name calling does not hide your immaturity.




Where precisely did I claim that?




Which 3rd party personal (so-called) firewall is MSFT recommending?
Where are links, URL's, publications?




Your assumption is nothing but an assumption (you've got to replace that
crystal ball). And who in particular from MSFT are you referring to? I'd be
genuinely interested to read their write-ups. If you're referring to the
authors already mentioned in this thread, please point me to their
publication(s) which state that 3rd party personal (so-called) firewall is
an effective tool for controlling egress traffic.
It seems you either totally not understanding my point or deliberately
evading the issue!
MSFT knows exactly well that outbound application protection is an
illusion, which is why they don't offer such a (phony-baloney) thing.
Unlike you, they understand the nature of their operating system, and are
even honest enough to admit that outbound control is way too unreliable.
Even commercial enterprises like Sunbelt, makers of Kerio and Steve Gibson
of Gibson Research Corporation have finally conceded this fact!
Now don't change directions here and twist this straightforward post into a
convoluted psychedelic drivel.
John John (MVP), WHERE IS THE BEEF? SHOW US THE MONEY! PUT UP OR SHUT UP!

You constantly shift the discussion from the value of proper egress
filtering to software firewalls, even though I have said right from the
start that egress filtering at the firewall can be foiled and that users
should consider better methods. So get it in your thick skull, egress
filtering at a perimeter appliance is a sound security measure, even the
folks at Microsoft will tell you this:
http://msdn.microsoft.com/en-us/library/aa302431.aspx

Now maybe you should read what is says there and get a grip on yourself,
you don't know all that there is to know about network security and data
protection! Quite frankly you should not be one to speak of drivel, you
spew enough of it yourself! If you are really too stupid to recognize
the purpose and usefulness of egress traffic control then you are indeed
lacking in the basics of network and data security!

John

 

[Harry Johnston [MVP]]

You constantly shift the discussion from the value of proper egress
filtering to software firewalls, even though I have said right from the
start that egress filtering at the firewall can be foiled and that users
should consider better methods. So get it in your thick skull, egress
filtering at a perimeter appliance is a sound security measure, [...]

As far as I recall, nobody in this thread has ever said otherwise. The
discussion is about software firewalls, after all!

Harry.

 

[Harry Johnston [MVP]]

Thank you for your reply. I checked these forums but could not find
specific information. Do you know which files were modified and why ZA could
not cope with them ?

The Microsoft KB article describes the files that the update replaces:

http://support.microsoft.com/kb/951748

<http://support.microsoft.com/kb/951748>

I haven't confirmed this myself, but my understanding is that ZA assumed that
the changes were due to malware infection and refused to use the files.

Harry.

 

[Paul (Bornival)]

nOh, thank you.
Any idea why ZA assumed those changes were due to malware infection. I like
to know the details sice, after all, software is not "magic" but somethig
made by a human (and therefore, intelligible by another human) to be used by
a machine (and not the opposite).
Paul.

 

[Root Kit]

I haven't confirmed this myself, but my understanding is that ZA assumed that
the changes were due to malware infection and refused to use the files.

Firewalls should just deal with network traffic. The fact that ZA has
to resort to HIPS technology speaks volumes about what business they
got themselves into.

 

[John John (MVP)]

You constantly shift the discussion from the value of proper egress
filtering to software firewalls, even though I have said right from
the start that egress filtering at the firewall can be foiled and that
users should consider better methods. So get it in your thick skull,
egress filtering at a perimeter appliance is a sound security measure,
[...]

As far as I recall, nobody in this thread has ever said otherwise. The
discussion is about software firewalls, after all!

Harry.

Read Kayman's posts, specifically:


John said:


Kayman said:

Fact:
Outbound control on an XP platform as a security measure against malware is
still utter nonsense.
The windows platform was designed with usability in mind providing all
kinds of possibilities for e.g. inter-process communication. This
together with the very high probability that the user is running with
unrestricted rights makes it impossible to prevent malware allowed to
run and determined to by-pass any outbound "control" (which, of course
modern malware is) from doing so. It's simply too unreliable to
qualify as a security measure.

Does that not say that "any" outbound control (egress control) is "utter
nonsense that is too unreliable to qualify as a security measure"? The
comment was made in direct reply to my statement that egress filtering
at the perimeter was a vital part of network security, how else can you
interpret Kayman's reply?

John

 

[Kayman]

Thank you. But I have actually read all those documents. What I was
interested in was to understand the technical (ral) reason for the
incompatibility of ZA with KB951748.

Don't know (can't locate) any technical reasons re incompatiblity. My guess
is that ZA just did not realize the impact KB951748 would have to their
software. For the ZA users, this actually would be an interesting question
to ask in their forum.

 

[Anthony Buckland]

Don't know (can't locate) any technical reasons re incompatiblity. My
guess
is that ZA just did not realize the impact KB951748 would have to their
software. For the ZA users, this actually would be an interesting question
to ask in their forum.

Believe me, it's been all over the ZoneAlarm forum. The first thing
you see now when you enter the forum is a

G R E A T B I G W A R N I N G

about the situation and its fix.

 

[Harry Johnston [MVP]]

Read Kayman's posts, specifically:

[John John quoting Kayman:] "Fact: Outbound control on an XP platform as a
security measure against malware is still utter nonsense. The windows platform
was designed with usability in mind providing all kinds of possibilities for
e.g. inter-process communication."

Kayman is obviously talking about software firewalls here, since otherwise IPC
would be irrelevant. I can't speak for Kayman, of course, but I'd guess he
simply missed the fact that you'd unexpectedly changed the subject.

... on the other hand, and speaking only for myself, I don't see how external
egress filtering is going to help much; how is the device to distinguish between
legitimate and illegitimate traffic? (Well, OK, there's the obvious case of
spam engines, but apart from that ...)

Harry.

 

[Harry Johnston [MVP]]

Any idea why ZA assumed those changes were due to malware infection.

I would guess it simply assumed that /any/ change to the network stack must be
due to malware. The real answer may be more complex than this, but only the
developers could provide it.

Harry.

 

[jen]

Microsoft patch knocks some ZoneAlarm users offline:
**Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm**
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108298

-jen

 

[Harry Johnston [MVP]]

Microsoft patch knocks some ZoneAlarm users offline:
**Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm**
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108298

Thanks. This description doesn't gibe completely with some of the reported
behaviour (in particular the claim that reinstalling ZoneAlarm fixed the issues)
but perhaps the reports were confused.

Be that as it may, the only situation I see where Microsoft could rightly be
blamed is if Zone Alarm had asked to receive pre-release versions of updates for
testing and Microsoft had refused. Microsoft can't reasonably be expected to
bear the cost of testing third-party products with new updates (particularly
those using undocumented techniques to pervert the functioning of the operating
system) but they should of course be cooperative with reputable third-party vendors.

Harry.

 

[Kayman]

You constantly shift the discussion from the value of proper egress
filtering to software firewalls, even though I have said right from the
start that egress filtering at the firewall can be foiled and that users
should consider better methods. So get it in your thick skull, egress
filtering at a perimeter appliance is a sound security measure, even the
folks at Microsoft will tell you this:
http://msdn.microsoft.com/en-us/library/aa302431.aspx

Now maybe you should read what is says there and get a grip on yourself,
you don't know all that there is to know about network security and data
protection! Quite frankly you should not be one to speak of drivel, you
spew enough of it yourself! If you are really too stupid to recognize
the purpose and usefulness of egress traffic control then you are indeed
lacking in the basics of network and data security!

This thread is about what the original heading suggests; It later graduated
to security issues in relation to 3rd party personal (so-called) firewalls.

I reiterate, this thread is about 3rd party personal (so-called)
firewall(s)! My posts and responses were composed accordingly!

If anybody is running around like a headless chicken it is you.

The sole purpose for snipping my posts so cleverly is to save your face; It
enables you to take my responses out of context which is a sorry attempt
for trying to re-establish your credibility!

After reading my posts in their *UNCUT* version, anybody with average
reading skills and moderate level of comprehension see through your 'game'.

John John (MVP), After you've wiped the tons of eggs from your face, I
suggest you never ever touch that subject again, change your name, sell
your house and migrate to Andorra or Lesotho then join a yacht club and
teach sailing.

I am done with you.