Microsoft 'fix' cripples ZoneAlarm users.

[t34b4g5]

http://www.vnunet.com/vnunet/news/22...-fix-kills-web

Hundreds of thousands of ZoneAlarm firewall users have been locked out of the internet by Microsoft's latest round of software updates.

Microsoft released four 'important' fixes as part of its regular Patch Tuesday update, one of which left ZoneAlarm users with out web access.

The MS08-037 fix is designed to plug a vulnerability in Windows' implementations of the Domain Name System protocol, but has been responsible for "compatibility issues " with ZoneAlarm.

A spokesman for ZoneLabs, the Check Point subsidiary which manufacturers ZoneAlarm, told vnunet.com that the company became aware of the problem late last night when US users began downloading the Microsoft code.

ZoneLabs advises users of ZoneAlarm to remove the Microsoft update as a workaround until it has created a more satisfactory solution to the problem. The company has set up a forum to help keep users informed.

The forum moderator states: "We are investigating the issue with the Microsoft update KB951748. For the time being we suggest you uninstall KB951748 until the issue has been resolved. We will post when we have more information."

Some users of the firm's forums have discovered that downgrading the firewall's security from High to Medium for the internet fixes the problem, but this is not advised by ZoneLabs.

A user by the name of 'PokeyCA' wrote: "By now, everyone who is using ZA, knows that Microsoft's update KB951748 broke ZA.

"The reason that it broke ZA is that Microsoft had to expand the randomness that the DNS client uses when asking for UDP ports to go to DNS servers.

"ZA only looks for these requests in a certain range of UDP ports, but with the new DNS client (note that IE has not changed, but some of the base networking programs (svchost.exe)), ZA sees requests outside of this range and blocks them. Therefore, Internet is broken.

"Unfortunately, Microsoft didn't tell firewall manufacturers (hardware and software) that they were updating this."

I love this little statement.

For the time being we suggest you uninstall KB951748 until the issue has been resolved

Or maybe just un-install winblows and install Debian. lol

[t34b4g5]

http://download.zonealarm.com/bin/fr...cessIssue.html

Date Last Revised : 9 July 2008

Overview : Microsoft Update KB951748 is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.

Impact : Sudden loss of internet access

Platforms Affected : ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite

Recommended Actions -

Download and install latest versions here:
# ZoneAlarm Internet Security Suite
# Come back here for other product versions to be released soon - or follow the directions below.

Option 1: Move Internet Zone slider to Medium

1. Navigate to the "ZoneAlarm Firewall" panel
2. Click on the "Firewall" tab
3. Move the "Internet Zone" slider to medium

Option 2: Uninstall the hotfix

1. Click the "Start Menu"
2. Click "Control Panel", or click "Settings" then "Control Panel"
3. Click on "Add or Remove Programs"
4. On the top of the add/remove programs dialog box, you should see a checkbox that says "show updates". Select this checkbox
5. Scroll down until you see "Security update for Windows (KB951748)"
6. Click "Remove" to uninstall the hotfix

[Soda_Popinsky]

http://www.vnunet.com/vnunet/news/22...-fix-kills-web



I love this little statement.


Or maybe just un-install winblows and install Debian. lol

Debian had to fix the same hole, smartass

[t34b4g5]

Debian had to fix the same hole, smartass

Well it hasn't affected my Debian machine, nor my laptop running Debian,
Nor numerous Debian workstations were i work either.

And i haven't heard of other Debian user's experiencing the problem either....

[morganlefay]

and you run zone alarm on that debian machine????

oh thats right...no need

only winblows is vulnerable to worms, trojans, and malware attacks

MLF

[nihil]

Firstly, if you follow t34b4g5 link above you will find that the page has been updated with fixes for all the other ZA products.

If you look more closely you will see that the real issue is one of third party vendors interfacing with proprietary closed source operating systems. With Windows 2000 and XP, Microsoft did not encourage third parties to hook to the Windows kernel, so there were no guidelines or documentation.

Vendors just "did their own thing" and it so happens that ZA's method fell foul of Microsoft's method of fixing the DNS hole. In fact, what happened was that ZA saw Windows doing strange things and blocked the internet connection accordingly. So, it was ZA's product that caused the issue............... you might even describe it as "the mother of all false positives"

Kernel hooking for Vista is documented, which is why there were no problems with that OS.

EDIT:

I have now tested the new ZA version with Microsoft's KB951748 installed on both Windows XP SP3 and 2000 SP4 and everything works just fine

@ MLF

Debian is vulnerable, according to CERT:

http://www.kb.cert.org/vuls/id/MIMG-7ECL6S

[The-Spec]

Let me guess, your VCR wasn't playing dvds correctly... so you decided to install Debian.

[AngelicKnight]

In fact, what happened was that ZA saw Windows doing strange things and blocked the internet connection accordingly.

Wait, so ZA is marking Windows as untrusted?

It's been a while since I toyed with ZA (not exactly a fan of it), but couldn't you just go tweak settings to trust connections coming from Windows/that patch/whatever?

[nihil]

AK,

Wait, so ZA is marking Windows as untrusted?

ZA is working at the kernel (lowest) level here so I don't suppose it even knows, or cares if it is Windows. It spots unauthorised traffic and blocks the internet. I would guess that these rules are effectively hardcoded into the ZA engine.

but couldn't you just go tweak settings to trust connections coming from Windows/that patch/whatever?

Not really, you are talking more at the user level there. What the patch did was change the way that Windows worked, from that which ZA had been programmed to expect. This is outside of (below the level of) user control.

Another problem is that with ZA and similar products, you actually authorise applications. You can authorise internet explorer, but not the operating system that it is running on.