1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News ZoneLabs Won't Fix Hole In Free Firewall

Discussion in 'Article Discussion' started by GreatOldOne, 2 Jul 2003.

  1. GreatOldOne

    GreatOldOne Wannabe Martian

    Joined:
    29 Jan 2002
    Posts:
    12,092
    Likes Received:
    112
    From ExtremeTech:

    ZoneLabs said it will not fix a vulnerability found in the freeware version of its ZoneAlarm firewall. The company said the vulnerability was a problem found in Windows, not its firewall, and that it would require the hacker equivalent of "brain surgery" to exploit.

    Instead, ZoneLabs executives said that the vulnerability could be protected against by using one of its paid products: ZoneAlarm Plus, ZoneAlarm Pro, or its Integrity enterprise system.

    According to the posting to the BugTraq mailing list, the vulnerability involves the Windows shell32.dll file, which can invoke the ShellExecute function. When one of the parameters of ShellExecute is set to a Web address, the web browser is prompted to access the web site in question -- and, under most ZoneAlarm configurations, is allowed to freely access web sites without the express permission of the user.

    According to the poster, "aceh", that browser could quickly access a malicious web site, funnel a short string of confidential information (such as a username and password) and quickly redirect itself to an innocuous and trusted web site.

    More Here
     
    GreatOldOne, 2 Jul 2003
    #1
Tags: Add Tags

Share This Page