Results 1 to 7 of 7

Thread: ZoneAlarm possible vulnerability

  1. #1
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123

    ZoneAlarm possible vulnerability

    A new vulnerability has been discovered and slightly tested concerning the email protection in ZoneAlarm. Feel free to try this and comment on your findings.

    Some languages contain letters with roof characters (c - è, s - š, z -
    ž). If the name of e-mail attachment has any of these letters, it will allow any type of file attachment to bypass the firewall and bypass being quarantined. This will allow attackers to email .exe attachments without ZA picking it up and quarantineing it.

    Zone Labs has been notified but has not responded as of yet.



    Vulnerability originally discovered by Damjan Kreft.


    xmaddness
    Planet Maddness Industries
    http://www.planetmaddness.com

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Couple of questions:

    1. When did you notify them? (How long has it been since they haven't replied)

    2. Which ZoneAlarm product specifically does this affect as I don't recall the free version checking email.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    They were notified on or before April 14th by Damjan Kreft. He has not stated if he has been contacted concerning this.


    Versions have been said to be any version utilizing email protection.


    I myself have not tested this. I bring it to the community for anyone that wishes to test this and if found to be true, take furthurs actions to be sure they are protected properly.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    MsM,

    The free version does have "e-mail protection" but I believe that it looks for .vbs scripts only.

    I have also been hearing that several mail/spam filters fall for accented characters, I don't have any details, but I did clean out a hotel computer a few days ago and noticed that a lot of the "body parts enhancements" and "performance enhancing drugs" spams had those characters in them.

    It struck me as odd at the time but now it makes sense.

    Thanks for clearing that puzzle up for me.

    Cheers

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Spam filters are _definitely_ failing on accented characters..... They recently started using them a lot..... and they are coming through like no-one's business.... Waiting for my spam server to update..... My organizations shouldn't get any really so I can block them without really getting any false positives.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    wow did'nt know that ,deos that prevent my mcafee email virus scanning from detecting the worm or virus

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Disturb,

    This is a spam issue going by what I have seen? I believe that your anti virus software will still do its job, as it is not really looking at the header, it is looking at message bodies and attachments.

    AFAIK there is no virus that arrives in the message header.

    Spam filtering is usually based on the content (or lack of content) of the header. Up until this recent trend, this was quite adequate, and to scan the body or attachments would take too much additional resource?

    For example, if I filter for "viagra"...........an accent over the "i" or "a" makes it a different word, so it gets through.

    The problem is that some filters do not support accented characters, so you cannot add them to the filter. Also this has started recently, so admins who have filters that do support this have been caught unawares.

    It's a war I am afraid mate



    Cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •