Slashdot Mirror
MS Security Patch Blocks Net Access For ZoneAlarm Users
An anonymous reader writes "Users of Check Point ZoneAlarm security products, including the extremely popular, free-of-charge software firewall, have discovered that a Microsoft security update released on Tuesday has blocked their internet access. The firewall manufacturer is 'investigating the issue,' and so far the workaround seems to be to uninstall the recent DNS spoofing vulnerability fix MS08-037 (KB951748), and not reinstall it until Microsoft or Check Point have come up with updated versions of their products."
Set Zonealarm's security level to "medium".
This patch was not designed to patch a Microsoft flaw, but instead a vulnerability in nearly all implementations of DNS. So far over 100 vendors have patched their products and coordinated the release of this workaround. If zone alarm is broken because of this change they need to adjust their product to work with this change, not the other way around.
I've taken this snippet from: http://isc.sans.org/diary.html?storyid=4687 which explains things in a little more detail. Full details won't be disclosed until Blackhat in vegas this August.
The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked:
who sent the response? Was it the DNS server we sent the request to?
for this particular response, do we have an outstanding request?
each request uses a unique and random query ID. The response has to use the same query ID.
The response has to be sent to the same port from which the request was sent.
Only if all this matches, the response is accepted. The first valid response wins. If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.
Remember that you are unique, just like everybody else.
You make the immediate assumption that it was a problem with the MS Patch. I'll wait until the final news release about the subject, in case it's an issue with Zone Alarm. Why is Zone Alarm the only firewall with this problem (so far)? Is Zone Alarm firewall released as open source? Free != Open Source. Your same argument against MS can just as easily be applied to Check Point.
Layne
We have a Cisco ASA at work for a large enterprise and about 2 hours after I applied the patch to our DNS servers running BIND, they the ASA device blackholed the DNS servers. Wasn't a fun day really.
Ahh the great security blanket called the software firewall. I like to use the following analogy in regards to them. Having a software firewall on your computer is like having a security guard in your bathroom. If something gets to the guard it's too late, your network is already compromised.
I work for an ISP in Tacoma WA, and Software firewalls cause many more problems then they solve. I don't care which company makes it.
If you are really concerned about security then you will have a dedicated hardware firewall. These are inexpensive and common, even built into most SOHO routers.
So I know there will probably be flames, but if you write software firewalls, remember that the overwhelming majority of people who use them don't usually know they have one, and just ignore those little messages and click allow on everything until they actually read something and say "msimn.exe, what's that? I'm gonna block it!" And then they call me because their e-mail doesn't work.
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
Don't worry. Removing the patch was easy once I knew that was what needed to be done. Just go to Add/Remove Programs, check the box for "Show updates", scroll down to KB951748, click the Remove button, and reboot (again).
It's bad if an *outbound* software firewall is your ONLY form of defence. But it is an INBOUND firewall too and it does a damn good job of that, considering. I've had people back in the dial-up / USB broadband modem days who used it exclusively as a defence and there were no problems at all. They frequently got attack probes aimed at them and they all bounced off harmlessly. For five minutes work and a free download, it's much better value for money than trying to put a hardware firewall into computer novice's homes, with their 56k's and Speedtouch's.
But its main use is to turn off things that ask for the Internet that cannot be otherwise turned off, and does so without requiring TCP port rules etc. It also alerts even the knowledgeable user to strange Internet requests ("Opera is acting as a server"... is it? Why? Oh, I've hit an IRC address and it's trying to act as an IDENT server). If I could afford it, I'd put it on every Windows PC in the schools I work in (if I could move them off Windows, I would do that too) - it has an especially nice, centrally-configured network version so you can stop ANY program on ANY client that does happen to get executed from accessing the network/Internet unless it's on your whitelist - perfect for stopping a virus outbreak in its tracks.
Most importantly, however, it's fantastic as a basic Windows firewall for places where YOU CAN'T GET HARDWARE FIREWALLS. Say you have a wireless laptop that connects through your home network (a not-unusual scenario). The laptop is protected against Internet-based attacks but not against local wireless-based ones. So you either have to 1) rely on your wireless to be perfectly secure for the course of its life (WEP should have taught you that that is a silly thing to do), 2) Provide a hardware firewall on the laptop itself (means carrying another gadget like that USB stick that is a Linux firewall), 3) Using a VPN (which means forcing its use for everything Windows tries to transmit) or 4) using a software firewall. Zonealarm happens to be great at 3 AND 4.
For example, I have the following setup:
Windows laptop with wireless
Wireless access point
PC in the house with wireless card and OpenVPN
Internal network
Broadband connection
Everything past the Windows laptop is Linux and locked down (and I have Linux on a laptop to that connects in the same way). In my case, I use Zonealarm on the Windows laptop to MAKE SURE that nothing gets out across the (secured with WPA2) wireless connection except OpenVPN packets. This FORCES Windows to use OpenVPN (which it likes to avoid whenever possible, i.e. I plug another Ethernet interface into it and it changes routes etc.) for everything. I have an "insecure" network running behind the LAN but the only transit across it is via a secured VPN.
Without Zonealarm, you get hundreds of DNS, Samba, etc. requests coming out of the laptop, flying across the wireless, affecting speed, bandwidth and (potentially) security of the network. With a decent software firewall on Windows (or a decent TCP outbound firewall on Linux), I'm able to make sure that NOTHING but OpenVPN can talk to the wireless network - I could even turn off the wireless points encryption (or it be compromised, or obsoleted, or removed for incompatibility/speed/bandwidth/latency reasons) and it wouldn't matter because nothing but OpenVPN can talk out.
Without ZoneAlarm, Windows is VERY chatty on any external network, plus it's difficult (but not impossible) to make it use only ONE route (your OpenVPN tunnel) out of many possible routes without something like ZoneAlarm, especially if things change often (e.g. you put a second wireless card in, or plug in an Ethernet card etc.). I also found that Windows Firewall was absolutely useless for this, and presented problems using OpenVPN in the particular mode I wanted it to (UDP I think, but it's been a while since I've had to touch any config files for that).
With Windows Firewall, OpenVPN connections died before they could complete
ZoneAlarm have released an update to fix this. Check out there technical support page http://www.zonealarm.com/store/content/support/techSupport.jsp