Re: FIX for ZoneAlarm & KB951748 issue released
"Stinger" <Stinger@discussions.microsoft.com> wrote in message
news:64031966-D4CF-4748-8D5D-A691A4F4D6C3@microsoft.com...
>
>
> "Kerry Brown" wrote:
>
>> "Stinger" <Stinger@discussions.microsoft.com> wrote in message
>> news:B7A45133-F148-4507-85CB-> Bottom line, this update is important
>> since
>> it was a gapping hole in Windows
>> > for quite some time. Great that Windows decided to do something about
>> > it.
>> > Bad it renders tried and true helper 3rd party software that has been
>> > used
>> > for years by the general public trying its best to close that huge hole
>> > in
>> > Windows (with what is considered "overkill) and at the same time
>> > consumers
>> > are unable to even get on the internet without a single word of caution
>> > from
>> > the makers of the operating system. Ironically, they left it up to the
>> > geeks
>> > of the world to figure it out. Nice from a company that assumes it's
>> > the
>> > industry leader.
>>
>>
>> You should do a bit of research before you post. The gaping hole was in
>> the
>> way DNS worked. It was not Windows specific. Almost every OS was
>> affected.
>> In fact almost everything that interacted with DNS in any way was
>> affected.
>>
>> http://www.securityfocus.com/news/11526
>>
>> Take a look at some of the affected products.
>>
>> http://www.kb.cert.org/vuls/id/800113
>>
>> We can debate the effectiveness of software firewalls all day. I don't
>> think
>> at the end of the debate either of us would change their mind. You think
>> they're great. I think they're mostly hype and snake oil. There is no
>> debating the fact that this flaw in the DNS system needed to be patched
>> and
>> it needed to be patched immediately. This has nothing to do with Windows.
>> The flaw was in the way DNS worked. The fact that your 3rd party
>> application
>> couldn't deal with the fact that an OS update changed some system files
>> says
>> a lot about how well it's programmed. It wasn't any changes in the files
>> that broke your software. It was just the fact that the files changed
>> that
>> broke it. If an application can't deal with the fact that an OS may
>> update
>> itself it's not an application I would want on my computer.
>>
>> --
>> Kerry Brown
>> MS-MVP - Windows Desktop Experience: Systems Administration
>> http://www.vistahelp.ca/phpBB2/
>> http://vistahelpca.blogspot.com/
>>
>>
>>
>>
>>
> Simply amazing to me how many of you responders hold such a cavalier
> attitude toward security. I challenge any of you to publicly post a
> static
> IP address available you can monitor, turn on that wonderful Windows
> firewall
> (since that's all you believe is needed) and sit back for a few days and
> watch what happens. You'll soon discover how vital a security becomes in
> your computer world. Do it the right way, like MOST consumers do without
> the
> aid of any router or other bandwidth protectors.
>
> Firewalls are mostly hype and snake oil. Thanks for that little chuckle.
> You don't mind if I share that statement with others in the real world
> outside of the protection of this forum? Sure, most computer users are
> small
> fish in a big see but not all of us....obviously. I for one would rather
> be
> safe with my firewall protection than to take the word of someone that
> discounts security as easliy as the like of this group.
>
> Oh and let's be real honest about something here. Internet Explorer is
> "bundled" with Windows, has been for a long time. Windows is also the
> most
> common OS in the world. But IE is nothing more than a GUI for viewing web
> pages. Saying the DNS problem wasn't related to Windows (did you really
> say
> that??) is laughable. Perhaps a better understanding of the actual DNS
> issue
> should be on your todo list. And on top of all that even implying a
> firewall
> isn't involved in this DNS issue is blasphemy. What conduit is being used
> for this communication between your computer and web pages if it's not via
> ports? I'll quote a single line explaining part of the DNS process for
> those
> reading this that are tired of being directed to web sites --> "If the
> records are not stored locally, your computer queries (or contacts) your
> ISP's recursive DNS servers." Doesn't take a rocket scientist to
> understand
> the Windows operating system does indeed have a major stake in this DNS
> problem. If you still are riding on the boat down the river of denial,
> ask
> yourself one question.... Why was the patch even produced by MS if there
> wasn't a "problem" with the OS, hmm?
>
> Yea, firewalls are all hype and snake oil. That's an instant classic!
>
> You folks need to get out of the Microsoft world and step intto the real
> world every once in a while or you're limiting yourself.
I live in the real world. I manage networks for a living. This includes
managing the network security for a government contractor who gets audited
for security yearly. I use real firewalls (not software firewalls) every
day. The networks I manage use many products and OS's, other than
Microsoft's, that do DNS lookups. Here's what happened with the DNS changes.
Windows was using DNS as it was supposed be used. A flaw was found in the
way DNS communications work. This flaw had nothing to do with Windows. All
of the major networking hardware and software developers were made aware of
this and as a group decided to make a change in the way DNS communications
worked to close this possible exploit. This change in the way DNS
communications worked meant some low level system files in Windows needed to
be updated. FWIW my Linux computers and some of the hardware firewall
appliances I manage also had some low level changes because of this as well.
The change was made and some Windows files were updated via Windows Updates.
At this point some versions of Zone Alarm barfed. I don't use Zone Alarm so
the rest of the story I gleaned from reading Zone Alarm forums and official
announcements. The Zone Alarm application noticed that some Windows files
had changed and decided not to allow these files to communicate to the
Internet. It wasn't anything in the way the files worked, merely that they
had changed, that caused the problem. Because these are system files Zone
Alarm doesn't ask about them. Clearing the Zone Alarm database so that it
would not think the files were changed fixed the problem. How is an OS
supposed to update itself if it can't change files? The way that Zone Alarm
monitors and responds to system file changes is flawed.
You have misquoted me. I never said "firewalls are all hype and snake oil".
I said "We can debate the effectiveness of software firewalls all day."
followed by "I think they're mostly hype and snake oil." Of course not all
firewalls are hype and snake oil. Software firewalls that advertise they can
stop malicious outbound traffic are. If you want to quote me anywhere,
including this forum, please quote me verbatim without changes.
Oh and by the way, I know of of many people using both XP and Vista with
only the Windows firewall running on their computer. What am I supposed to
see happen? They have no more problems with malware than anyone else. In
fact the ones that I set up have almost no malware problems at all. Many of
them don't have a router (i.e. dialup) yet they don't have any problems with
malware. How will your preferred firewall solution help protect them better
than they are now? Maybe you could tell us exactly how their security will
be improved by using a different software firewall?
--
Kerry Brown
Microsoft MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/
http://vistahelpca.blogspot.com/