If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#181
|
|||
|
|||
FIX for ZoneAlarm & KB951748 issue released
"jen" wrote:
Microsoft patch knocks some ZoneAlarm users offline: **Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm** http://www.computerworld.com/action/...leId=9108 298 -jen Thank you. Interesting and makes sense, even if technical details are not given. |
Ads |
#182
|
|||
|
|||
FIX for ZoneAlarm & KB951748 issue released
On Mon, 21 Jul 2008 23:48:44 -0400, "jen" wrote:
Microsoft patch knocks some ZoneAlarm users offline: **Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm** http://www.computerworld.com/action/...leId=9108 298 quote The quickest way to regain Internet access, said the company, is to uninstall the security update tagged as KB951748 using Windows' Add or Remove Programs utility. Alternately, users could tweak ZoneAlarm's firewall settings or reduce the security level of the machine. end-quote How responsible..... quote "We filter network traffic at the kernel, where malware can't avoid us," said James Grant, a ZoneAlarm team lead. "If you filter traffic in user mode, malware can see what we're doing." end-quote Yearh, right. As if malware wouldn't compromise the kernel as well.... quote The problem notwithstanding, she defended kernel hooking. "It's undocumented, but it's in widespread use. Every major security vendor makes use of it," said Yecies. end-quote So does any serious malware writer.... quote "This isn't about finger-pointing," said Yecies, when asked which company was responsible for the snafu, ZoneAlarm or Microsoft. When pressed, however, she acknowledged that Microsoft should have caught the problem before issuing its security update. end-quote Yearh, right. "Don't make changes to your kernel without making sure we didn't mess with it."..... |
#183
|
|||
|
|||
FIX for ZoneAlarm & KB951748 issue released
At this point some versions of Zone Alarm barfed. I don't use Zone Alarm
so the rest of the story I gleaned from reading Zone Alarm forums and official announcements. The Zone Alarm application noticed that some Windows files had changed and decided not to allow these files to communicate to the Internet. It wasn't anything in the way the files worked, merely that they had changed, that caused the problem. Because these are system files Zone Alarm doesn't ask about them. Clearing the Zone Alarm database so that it would not think the files were changed fixed the problem. How is an OS supposed to update itself if it can't change files? The way that Zone Alarm monitors and responds to system file changes is flawed. It looks like this may not be quite the whole story. There are conflicting reports about exactly what caused Zone Alarm to barf. Some stories say it was Zone Alarm's heuristics causing the problem. Others say the update broke the way Zone Alarm uses unsupported methods to hack the kernel. Zone Alarm hasn't commented officially that I can find. It doesn't really change anything. It's merely a technical point of interest. The fault lays with Zone Alarm if either reason is the cause. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ http://vistahelpca.blogspot.com/ |
#184
|
|||
|
|||
FIX for ZoneAlarm & KB951748 issue released
Root Kit wrote:
quote "We filter network traffic at the kernel, where malware can't avoid us," said James Grant, a ZoneAlarm team lead. "If you filter traffic in user mode, malware can see what we're doing." end-quote Yearh, right. As if malware wouldn't compromise the kernel as well.... Well ... if the user isn't an administrator, it won't. But what it *can* do is hook itself into a program that's already allowed access, like your web browser. Harry. |
#185
|
|||
|
|||
FIX for ZoneAlarm & KB951748 issue released
On Wed, 23 Jul 2008 11:40:05 +1200, "Harry Johnston [MVP]"
wrote: Root Kit wrote: quote "We filter network traffic at the kernel, where malware can't avoid us," said James Grant, a ZoneAlarm team lead. "If you filter traffic in user mode, malware can see what we're doing." end-quote Yearh, right. As if malware wouldn't compromise the kernel as well.... Well ... if the user isn't an administrator, it won't. That's correct. Unless the firewall is so badly designed it allows the malware to exploit it to gain SYSTEM credentials, that is. But unfortunately running as administrator is what the vast majority of windows users do. |
#186
|
|||
|
|||
FIX for ZoneAlarm & KB951748 issue released
On Wed, 23 Jul 2008 07:28:16 GMT, Root Kit wrote:
On Wed, 23 Jul 2008 11:40:05 +1200, "Harry Johnston [MVP]" wrote: Root Kit wrote: quote "We filter network traffic at the kernel, where malware can't avoid us," said James Grant, a ZoneAlarm team lead. "If you filter traffic in user mode, malware can see what we're doing." end-quote Yearh, right. As if malware wouldn't compromise the kernel as well.... Well ... if the user isn't an administrator, it won't. That's correct. Unless the firewall is so badly designed it allows the malware to exploit it to gain SYSTEM credentials, that is. But unfortunately running as administrator is what the vast majority of windows users do. That is sadly true! A timely reminder and friendly advice for all the lurkers out there running on WinXP, please take notice :-) The most dependable defenses a 1. Do not work as Administrator; For day-to-day work routinely use a Limited User Account (LUA). 2. Secure (Harden) your operating system. 3. Don't expose services to public networks. 4. Keep your operating (OS) system (and all software on it)updated/patched. (Got SP3 yet?). 5. Reconsider the usage of IE and OE. 5a.Secure (Harden) Internet Explorer. 6. Review your installed 3rd party software applications/utilities; Remove clutter, *including* 3rd party software personal (so-called) firewall application (PFW) - the one which claims: "It can stop/control malicious outbound traffic". 7. If on dial-up Internet connection, activate the build-in firewall and configure Windows not to use TCP/IP as transport protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135,137-139 and 445 (the most exploited Windows networking weak point) closed. 7a.If on high-speed Internet connection use a router. For the average homeuser it is suggested blocking both TCP and UDP ports 135 ~ 139 and 445 on the router and implement countermeasures against DNSChanger. 8. Routinely practice Safe-Hex. Also, ensure you do: a. Regularly back-up data/files. b. Familiarize yourself with crash recovery tools and re-installing your operating system (OS). b. Utilize a good-quality real-time anti-virus application and some vital system monitoring utilities/applications. c. Keep abreast of the latest developments. And finally: Most computer magazines and/or (computer) specialized websites are *biased* i.e. heavely weighted towards the (advertisement) dollar almighty! Therefo a. Don't fall for software applications touted in publications relying on advertisement revenue. b. Do take their *test-results* of various software with a *considerable* amount of salt...! c. ...Which also applies to their *investigative* test reports related to any software applications. d. Investigate claims made by software manufacturer *prior* downloading their software; Specialized Newsgroups and/or Fora are a great way to find out the 'nitty-gritties'. Wanna know details? Go ahead and ask :-) -- Security is a process not a product. (Bruce Schneier) |
Thread Tools | |
Display Modes | |
|
|