FIX for ZoneAlarm & KB951748 issue released

[Root Kit]

Re: FIX for ZoneAlarm & KB951748 issue released

On Sun, 20 Jul 2008 10:24:26 -0300, "John John (MVP)"
<audetweld@nbnet.nb.ca> wrote:

>The point to be made is that before XP was released third party firewall
>products were the only alternative to hardware firewalls

That's not entirely true. You are missing the obvious (and in fact
most secure) alternative of shutting down the unneeded network
services (which should of course have been the windows default
setting). I used to run a W2K machine with a direct Internet
connection without any inbound "protection" at all and without
problems for several years. And to be honest, still today I wouldn't
loose any sleep over operating a hardened W2K client machine directly
on the net.

>These were trusted applications from trusted companies.

I guess that's an opinion open for debate.

>Then, overnight, just because Windows XP was released, in the eyes of a
>zealous few these companies became villains peddling worthless products!

That's also not true. They were highly criticized among specialists
already before that. It's just hard to get through the marketing
noise.

>A couple of individuals decided to tar and feather a whole ISV group with the same
>wide brush! That is wrong, absolutely wrong, and the attack on some of
>those ISVs is completely unwarranted, those ISVs were trusted companies
>the day before XP hit the market and they were no less trustworthy the
>day after XP was released. Much of the hype against those ISVs is
>nothing more than blind zealotry!

I think it's absolutely fair that some people stand up against the
obvious hype and in cases utter nonsense that the marketing
departments of these companies were and are still using to fool less
knowledgeable users into buying their products. I find it a bit
worrying that an MVP does not have the technical insight to see
through the smoke.

I've asked this before without getting any responses: Why are there no
web pages with listings of personal firewall software available for
Linux? Well, don't bother. I already know the answer.

Please understand that I'm not in any way trying to "defend" MS. I
fully recognize that windows has it's serious security flaws. But when
claiming that it can be made more secure by adding further highly
questionable code to it, one has stepped away from technical sense and
into emotional reasoning - often backed by non-applicable analogies.

>There is also a developing and troubling trend in this whole debate, one
>that some people are bent on spreading at all costs, that because
>software firewalls are not immune to exploits by malware attempting to
>send data to outside networks, then by simple deduction any and all
>egress filtering as a security concept is unnecessary.

Who is that? - I for sure have not been spreading that thought.

>Egress filtering at the perimeter, done by reliable network appliances, is a vital part
>of network security,

Agreed.

 

[Root Kit]

Re: FIX for ZoneAlarm & KB951748 issue released

On Mon, 21 Jul 2008 07:41:27 +0700, Kayman
<kaymanDeleteThis@operamail.com> wrote:

>> The point to be made is that before XP was released third party firewall
>> products were the only alternative to hardware firewalls, many of these
>> third party firewall products were good and many were free.
>
>Yes, as I had mentioned many times previously - *Prior NT*!

In fact even the windows 9x platform usually didn't need any packet
filtering. You'd just have to unbind any network service from your
network interface that you didn't want.

 

[John John (MVP)]

Re: FIX for ZoneAlarm & KB951748 issue released

Kayman wrote:

> Fact:
> The only reasonable way to deal with malware is to prevent it from being
> run in the first place. That's what AV software or Windows' System
> Restriction Policies are doing. And what 3rd party Personal (so-called)
> Firewalls fail to do!
>
> John John (MVP), would you please educate and inform yourself by studying
> publications not associated with any COMMERCIAL influence. Additionally,
> the authors of these publications can be contacted....why don't you bite
> the bullet and do so? It'll brighten your horizon and you could pass on
> your newly acquired knowledge to this and other newsgroups.

Only a fool would claim that proper egress control has no place in
network security. Even the experts at Microsoft advise users to protect
their data with egress control. You, of course, also know better than
the folks at Microsoft.

John

 

[Root Kit]

Re: FIX for ZoneAlarm & KB951748 issue released

On Mon, 21 Jul 2008 09:14:31 -0300, "John John (MVP)"
<audetweld@nbnet.nb.ca> wrote:

>Only a fool would claim that proper egress control has no place in
>network security. Even the experts at Microsoft advise users to protect
>their data with egress control.

Beside of the fact that "Only a fool would claim..." marks the
beginning of a non-argument - who are you addressing here? I don't
recall anyone making the claim you're stating.

 

[Kayman]

Re: FIX for ZoneAlarm & KB951748 issue released

On Mon, 21 Jul 2008 09:14:31 -0300, John John (MVP) wrote:

> Kayman wrote:
>
>> Fact:
>> The only reasonable way to deal with malware is to prevent it from being
>> run in the first place. That's what AV software or Windows' System
>> Restriction Policies are doing. And what 3rd party Personal (so-called)
>> Firewalls fail to do!
>>
>> John John (MVP), would you please educate and inform yourself by studying
>> publications not associated with any COMMERCIAL influence. Additionally,
>> the authors of these publications can be contacted....why don't you bite
>> the bullet and do so? It'll brighten your horizon and you could pass on
>> your newly acquired knowledge to this and other newsgroups.
>
> Only a fool...

You just can't help yourself, can you.
Name calling does not hide your immaturity.

> ...would claim that proper egress control has no place in network security.

Where precisely did I claim that?

> Even the experts at Microsoft advise users to protect their data with
> egress control.

Which 3rd party personal (so-called) firewall is MSFT recommending?
Where are links, URL's, publications?

> You, of course, also know better than the folks at Microsoft.

Your assumption is nothing but an assumption (you've got to replace that
crystal ball). And who in particular from MSFT are you referring to? I'd be
genuinely interested to read their write-ups. If you're referring to the
authors already mentioned in this thread, please point me to their
publication(s) which state that 3rd party personal (so-called) firewall is
an effective tool for controlling egress traffic.
It seems you either totally not understanding my point or deliberately
evading the issue!
MSFT knows exactly well that outbound application protection is an
illusion, which is why they don't offer such a (phony-baloney) thing.
Unlike you, they understand the nature of their operating system, and are
even honest enough to admit that outbound control is way too unreliable.
Even commercial enterprises like Sunbelt, makers of Kerio and Steve Gibson
of Gibson Research Corporation have finally conceded this fact!
Now don't change directions here and twist this straightforward post into a
convoluted psychedelic drivel.
John John (MVP), WHERE IS THE BEEF? SHOW US THE MONEY! PUT UP OR SHUT UP!

 

[Paul (Bornival)]

Re: FIX for ZoneAlarm & KB951748 issue released

"Kayman" wrote:

> > Where can we find the technical details of the incompatibility. I have been
> > looking hard but have not found anything relevant so far (or so vague you
> > can't understand what is going on).
>
> Informative reading:
>
> Dan Kaminsky Discovers Fundamental Issue In DNS: ...

Thank you. But I have actually read all those documents. What I was
interested in was to understand the technical (ral) reason for the
incompatibility of ZA with KB951748.

 

[Paul (Bornival)]

Re: FIX for ZoneAlarm & KB951748 issue released

"Harry Johnston [MVP]" wrote:

> Paul (Bornival) wrote:
>
> > Where can we find the technical details of the incompatibility. I have been
> > looking hard but have not found anything relevant so far (or so vague you
> > can't understand what is going on).
>
> I believe there is some information on the ZoneAlarm forums, and there's been a
> fair bit of discussion in microsoft.public.windowsupdate.
>
> The quick summary, as I understand it, is that ZoneAlarm couldn't cope with the
> fact that the update modified some of the system files associated with internet
> access. It wasn't anything specific about the way they were changed, simply the
> fact that they had changed.
>
> Harry.


Thank you for your reply. I checked these forums but could not find
specific information. Do you know which files were modified and why ZA could
not cope with them ?

 

[John John (MVP)]

Re: FIX for ZoneAlarm & KB951748 issue released

Kayman wrote:
> On Mon, 21 Jul 2008 09:14:31 -0300, John John (MVP) wrote:
>
>
>>Kayman wrote:
>>
>>
>>>Fact:
>>>The only reasonable way to deal with malware is to prevent it from being
>>>run in the first place. That's what AV software or Windows' System
>>>Restriction Policies are doing. And what 3rd party Personal (so-called)
>>>Firewalls fail to do!
>>>
>>>John John (MVP), would you please educate and inform yourself by studying
>>>publications not associated with any COMMERCIAL influence. Additionally,
>>>the authors of these publications can be contacted....why don't you bite
>>>the bullet and do so? It'll brighten your horizon and you could pass on
>>>your newly acquired knowledge to this and other newsgroups.
>>
>>Only a fool...
>
>
> You just can't help yourself, can you.
> Name calling does not hide your immaturity.
>
>
>>...would claim that proper egress control has no place in network security.
>
>
> Where precisely did I claim that?
>
>
>>Even the experts at Microsoft advise users to protect their data with
>>egress control.
>
>
> Which 3rd party personal (so-called) firewall is MSFT recommending?
> Where are links, URL's, publications?
>
>
>>You, of course, also know better than the folks at Microsoft.
>
>
> Your assumption is nothing but an assumption (you've got to replace that
> crystal ball). And who in particular from MSFT are you referring to? I'd be
> genuinely interested to read their write-ups. If you're referring to the
> authors already mentioned in this thread, please point me to their
> publication(s) which state that 3rd party personal (so-called) firewall is
> an effective tool for controlling egress traffic.
> It seems you either totally not understanding my point or deliberately
> evading the issue!
> MSFT knows exactly well that outbound application protection is an
> illusion, which is why they don't offer such a (phony-baloney) thing.
> Unlike you, they understand the nature of their operating system, and are
> even honest enough to admit that outbound control is way too unreliable.
> Even commercial enterprises like Sunbelt, makers of Kerio and Steve Gibson
> of Gibson Research Corporation have finally conceded this fact!
> Now don't change directions here and twist this straightforward post into a
> convoluted psychedelic drivel.
> John John (MVP), WHERE IS THE BEEF? SHOW US THE MONEY! PUT UP OR SHUT UP!

You constantly shift the discussion from the value of proper egress
filtering to software firewalls, even though I have said right from the
start that egress filtering at the firewall can be foiled and that users
should consider better methods. So get it in your thick skull, egress
filtering at a perimeter appliance is a sound security measure, even the
folks at Microsoft will tell you this:
http://msdn.microsoft.com/en-us/library/aa302431.aspx

Now maybe you should read what is says there and get a grip on yourself,
you don't know all that there is to know about network security and data
protection! Quite frankly you should not be one to speak of drivel, you
spew enough of it yourself! If you are really too stupid to recognize
the purpose and usefulness of egress traffic control then you are indeed
lacking in the basics of network and data security!

John

 

[Harry Johnston [MVP]]

Re: FIX for ZoneAlarm & KB951748 issue released

John John (MVP) wrote:

> You constantly shift the discussion from the value of proper egress
> filtering to software firewalls, even though I have said right from the
> start that egress filtering at the firewall can be foiled and that users
> should consider better methods. So get it in your thick skull, egress
> filtering at a perimeter appliance is a sound security measure, [...]

As far as I recall, nobody in this thread has ever said otherwise. The
discussion is about software firewalls, after all!

Harry.

 

[Harry Johnston [MVP]]

Re: FIX for ZoneAlarm & KB951748 issue released

Paul (Bornival) wrote:

> Thank you for your reply. I checked these forums but could not find
> specific information. Do you know which files were modified and why ZA could
> not cope with them ?

The Microsoft KB article describes the files that the update replaces:

http://support.microsoft.com/kb/951748

<http://support.microsoft.com/kb/951748>

I haven't confirmed this myself, but my understanding is that ZA assumed that
the changes were due to malware infection and refused to use the files.

Harry.

 

[Paul (Bornival)]

Re: FIX for ZoneAlarm & KB951748 issue released

nOh, thank you.
Any idea why ZA assumed those changes were due to malware infection. I like
to know the details sice, after all, software is not "magic" but somethig
made by a human (and therefore, intelligible by another human) to be used by
a machine (and not the opposite).
Paul.

"Harry Johnston [MVP]" wrote:

> Paul (Bornival) wrote:
>
> > Thank you for your reply. I checked these forums but could not find
> > specific information. Do you know which files were modified and why ZA could
> > not cope with them ?
>
> The Microsoft KB article describes the files that the update replaces:
>
> http://support.microsoft.com/kb/951748
>
> <http://support.microsoft.com/kb/951748>
>
> I haven't confirmed this myself, but my understanding is that ZA assumed that
> the changes were due to malware infection and refused to use the files.
>
> Harry.
>

 

[Root Kit]

Re: FIX for ZoneAlarm & KB951748 issue released

On Tue, 22 Jul 2008 08:10:00 +1200, "Harry Johnston [MVP]"
<harry@scms.waikato.ac.nz> wrote:

>I haven't confirmed this myself, but my understanding is that ZA assumed that
>the changes were due to malware infection and refused to use the files.

Firewalls should just deal with network traffic. The fact that ZA has
to resort to HIPS technology speaks volumes about what business they
got themselves into.

 

[John John (MVP)]

Re: FIX for ZoneAlarm & KB951748 issue released

Harry Johnston [MVP] wrote:
> John John (MVP) wrote:
>
>> You constantly shift the discussion from the value of proper egress
>> filtering to software firewalls, even though I have said right from
>> the start that egress filtering at the firewall can be foiled and that
>> users should consider better methods. So get it in your thick skull,
>> egress filtering at a perimeter appliance is a sound security measure,
>> [...]
>
>
> As far as I recall, nobody in this thread has ever said otherwise. The
> discussion is about software firewalls, after all!
>
> Harry.

Read Kayman's posts, specifically:


John said:

>>There is also a developing and troubling trend in this whole debate, one
>>> that some people are bent on spreading at all costs, that because
>>> software firewalls are not immune to exploits by malware attempting to
>>> send data to outside networks, then by simple deduction any and all
>>> egress filtering as a security concept is unnecessary. Egress filtering
>>> at the perimeter, done by reliable network appliances, is a vital part
>>> of network security, without proper egress control your network security
>>> is incomplete, ignore egress traffic at your own perils!


Kayman said:

> Fact:
> Outbound control on an XP platform as a security measure against malware is
> still utter nonsense.
> The windows platform was designed with usability in mind providing all
> kinds of possibilities for e.g. inter-process communication. This
> together with the very high probability that the user is running with
> unrestricted rights makes it impossible to prevent malware allowed to
> run and determined to by-pass any outbound "control" (which, of course
> modern malware is) from doing so. It's simply too unreliable to
> qualify as a security measure.

Does that not say that "any" outbound control (egress control) is "utter
nonsense that is too unreliable to qualify as a security measure"? The
comment was made in direct reply to my statement that egress filtering
at the perimeter was a vital part of network security, how else can you
interpret Kayman's reply?

John

 

[Kayman]

Re: FIX for ZoneAlarm & KB951748 issue released

On Mon, 21 Jul 2008 09:22:07 -0700, Paul (Bornival) wrote:

> "Kayman" wrote:
>
>>> Where can we find the technical details of the incompatibility. I have been
>>> looking hard but have not found anything relevant so far (or so vague you
>>> can't understand what is going on).
>>
>> Informative reading:
>>
>> Dan Kaminsky Discovers Fundamental Issue In DNS: ...
>
> Thank you. But I have actually read all those documents. What I was
> interested in was to understand the technical (ral) reason for the
> incompatibility of ZA with KB951748.

Don't know (can't locate) any technical reasons re incompatiblity. My guess
is that ZA just did not realize the impact KB951748 would have to their
software. For the ZA users, this actually would be an interesting question
to ask in their forum.

 

[Anthony Buckland]

Re: FIX for ZoneAlarm & KB951748 issue released


"Kayman" <kaymanDeleteThis@operamail.com> wrote in message
news:e1JqD046IHA.4864@TK2MSFTNGP06.phx.gbl...
> On Mon, 21 Jul 2008 09:22:07 -0700, Paul (Bornival) wrote:
> ...
> Don't know (can't locate) any technical reasons re incompatiblity. My
> guess
> is that ZA just did not realize the impact KB951748 would have to their
> software. For the ZA users, this actually would be an interesting question
> to ask in their forum.

Believe me, it's been all over the ZoneAlarm forum. The first thing
you see now when you enter the forum is a

G R E A T B I G W A R N I N G

about the situation and its fix.

 

[Harry Johnston [MVP]]

Re: FIX for ZoneAlarm & KB951748 issue released

John John (MVP) wrote:

>> As far as I recall, nobody in this thread has ever said otherwise. The
>> discussion is about software firewalls, after all!

> Read Kayman's posts, specifically:

[John John quoting Kayman:] "Fact: Outbound control on an XP platform as a
security measure against malware is still utter nonsense. The windows platform
was designed with usability in mind providing all kinds of possibilities for
e.g. inter-process communication."

Kayman is obviously talking about software firewalls here, since otherwise IPC
would be irrelevant. I can't speak for Kayman, of course, but I'd guess he
simply missed the fact that you'd unexpectedly changed the subject.

... on the other hand, and speaking only for myself, I don't see how external
egress filtering is going to help much; how is the device to distinguish between
legitimate and illegitimate traffic? (Well, OK, there's the obvious case of
spam engines, but apart from that ...)

Harry.

 

[Harry Johnston [MVP]]

Re: FIX for ZoneAlarm & KB951748 issue released

Paul (Bornival) wrote:

> Any idea why ZA assumed those changes were due to malware infection.

I would guess it simply assumed that /any/ change to the network stack must be
due to malware. The real answer may be more complex than this, but only the
developers could provide it.

Harry.

 

[jen]

Re: FIX for ZoneAlarm & KB951748 issue released

Microsoft patch knocks some ZoneAlarm users offline:
**Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm**
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108298

-jen

"Paul (Bornival)" <PaulBornival@discussions.microsoft.com> wrote in
message news:7C0F355E-FB21-4DAD-BB25-860799FE8FEA@microsoft.com...
> nOh, thank you.
> Any idea why ZA assumed those changes were due to malware infection.
> I like
> to know the details sice, after all, software is not "magic" but
> somethig
> made by a human (and therefore, intelligible by another human) to be
> used by
> a machine (and not the opposite).
> Paul.
>
> "Harry Johnston [MVP]" wrote:
>
>> Paul (Bornival) wrote:
>>
>> > Thank you for your reply. I checked these forums but could not
>> > find
>> > specific information. Do you know which files were modified and
>> > why ZA could
>> > not cope with them ?
>>
>> The Microsoft KB article describes the files that the update
>> replaces:
>>
>> http://support.microsoft.com/kb/951748
>>
>> <http://support.microsoft.com/kb/951748>
>>
>> I haven't confirmed this myself, but my understanding is that ZA
>> assumed that
>> the changes were due to malware infection and refused to use the
>> files.
>>
>> Harry.
>>

 

[Harry Johnston [MVP]]

Re: FIX for ZoneAlarm & KB951748 issue released

jen wrote:

> Microsoft patch knocks some ZoneAlarm users offline:
> **Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm**
> http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9108298

Thanks. This description doesn't gibe completely with some of the reported
behaviour (in particular the claim that reinstalling ZoneAlarm fixed the issues)
but perhaps the reports were confused.

Be that as it may, the only situation I see where Microsoft could rightly be
blamed is if Zone Alarm had asked to receive pre-release versions of updates for
testing and Microsoft had refused. Microsoft can't reasonably be expected to
bear the cost of testing third-party products with new updates (particularly
those using undocumented techniques to pervert the functioning of the operating
system) but they should of course be cooperative with reputable third-party vendors.

Harry.

 

[Kayman]

Re: FIX for ZoneAlarm & KB951748 issue released

On Mon, 21 Jul 2008 14:20:08 -0300, John John (MVP) wrote:

> Kayman wrote:
>> On Mon, 21 Jul 2008 09:14:31 -0300, John John (MVP) wrote:
>>
>>
>>>Kayman wrote:
>>>
>>>
>>>>Fact:
>>>>The only reasonable way to deal with malware is to prevent it from being
>>>>run in the first place. That's what AV software or Windows' System
>>>>Restriction Policies are doing. And what 3rd party Personal (so-called)
>>>>Firewalls fail to do!
>>>>
>>>>John John (MVP), would you please educate and inform yourself by studying
>>>>publications not associated with any COMMERCIAL influence. Additionally,
>>>>the authors of these publications can be contacted....why don't you bite
>>>>the bullet and do so? It'll brighten your horizon and you could pass on
>>>>your newly acquired knowledge to this and other newsgroups.
>>>
>>>Only a fool...
>>
>>
>> You just can't help yourself, can you.
>> Name calling does not hide your immaturity.
>>
>>
>>>...would claim that proper egress control has no place in network security.
>>
>>
>> Where precisely did I claim that?
>>
>>
>>>Even the experts at Microsoft advise users to protect their data with
>>>egress control.
>>
>>
>> Which 3rd party personal (so-called) firewall is MSFT recommending?
>> Where are links, URL's, publications?
>>
>>
>>>You, of course, also know better than the folks at Microsoft.
>>
>>
>> Your assumption is nothing but an assumption (you've got to replace that
>> crystal ball). And who in particular from MSFT are you referring to? I'd be
>> genuinely interested to read their write-ups. If you're referring to the
>> authors already mentioned in this thread, please point me to their
>> publication(s) which state that 3rd party personal (so-called) firewall is
>> an effective tool for controlling egress traffic.
>> It seems you either totally not understanding my point or deliberately
>> evading the issue!
>> MSFT knows exactly well that outbound application protection is an
>> illusion, which is why they don't offer such a (phony-baloney) thing.
>> Unlike you, they understand the nature of their operating system, and are
>> even honest enough to admit that outbound control is way too unreliable.
>> Even commercial enterprises like Sunbelt, makers of Kerio and Steve Gibson
>> of Gibson Research Corporation have finally conceded this fact!
>> Now don't change directions here and twist this straightforward post into a
>> convoluted psychedelic drivel.
>> John John (MVP), WHERE IS THE BEEF? SHOW US THE MONEY! PUT UP OR SHUT UP!
>
> You constantly shift the discussion from the value of proper egress
> filtering to software firewalls, even though I have said right from the
> start that egress filtering at the firewall can be foiled and that users
> should consider better methods. So get it in your thick skull, egress
> filtering at a perimeter appliance is a sound security measure, even the
> folks at Microsoft will tell you this:
> http://msdn.microsoft.com/en-us/library/aa302431.aspx
>
> Now maybe you should read what is says there and get a grip on yourself,
> you don't know all that there is to know about network security and data
> protection! Quite frankly you should not be one to speak of drivel, you
> spew enough of it yourself! If you are really too stupid to recognize
> the purpose and usefulness of egress traffic control then you are indeed
> lacking in the basics of network and data security!
>

This thread is about what the original heading suggests; It later graduated
to security issues in relation to 3rd party personal (so-called) firewalls.

I reiterate, this thread is about 3rd party personal (so-called)
firewall(s)! My posts and responses were composed accordingly!

If anybody is running around like a headless chicken it is you.

The sole purpose for snipping my posts so cleverly is to save your face; It
enables you to take my responses out of context which is a sorry attempt
for trying to re-establish your credibility!

After reading my posts in their *UNCUT* version, anybody with average
reading skills and moderate level of comprehension see through your 'game'.

John John (MVP), After you've wiped the tons of eggs from your face, I
suggest you never ever touch that subject again, change your name, sell
your house and migrate to Andorra or Lesotho then join a yacht club and
teach sailing.

I am done with you.