MS Security Patch Blocks Net Access For ZoneAlarm Users

An anonymous reader writes "Users of Check Point ZoneAlarm security products, including the extremely popular, free-of-charge software firewall, have discovered that a Microsoft security update released on Tuesday has blocked their internet access. The firewall manufacturer is 'investigating the issue,' and so far the workaround seems to be to uninstall the recent DNS spoofing vulnerability fix MS08-037 (KB951748), and not reinstall it until Microsoft or Check Point have come up with updated versions of their products."

other workaround

[TheSHAD0W]

Set Zonealarm's security level to "medium".

Re:And this is a bad thing how?

[Floritard]

So the headline should have read:

"MS Security Patch perfects ZoneAlarm firewall"

In all Fairness to Microsoft

[docstrange]

This patch was not designed to patch a Microsoft flaw, but instead a vulnerability in nearly all implementations of DNS. So far over 100 vendors have patched their products and coordinated the release of this workaround. If zone alarm is broken because of this change they need to adjust their product to work with this change, not the other way around.

I've taken this snippet from: http://isc.sans.org/diary.html?storyid=4687 which explains things in a little more detail. Full details won't be disclosed until Blackhat in vegas this August.

The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked:

who sent the response? Was it the DNS server we sent the request to?
for this particular response, do we have an outstanding request?
each request uses a unique and random query ID. The response has to use the same query ID.
The response has to be sent to the same port from which the request was sent.
Only if all this matches, the response is accepted. The first valid response wins. If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.

Re:And this is a bad thing how?

[SQLGuru]

You make the immediate assumption that it was a problem with the MS Patch. I'll wait until the final news release about the subject, in case it's an issue with Zone Alarm. Why is Zone Alarm the only firewall with this problem (so far)? Is Zone Alarm firewall released as open source? Free != Open Source. Your same argument against MS can just as easily be applied to Check Point.

Layne

Software FW..sigh, hold bridge of nose, shake head

[GlL]

Ahh the great security blanket called the software firewall. I like to use the following analogy in regards to them. Having a software firewall on your computer is like having a security guard in your bathroom. If something gets to the guard it's too late, your network is already compromised.

I work for an ISP in Tacoma WA, and Software firewalls cause many more problems then they solve. I don't care which company makes it.

If you are really concerned about security then you will have a dedicated hardware firewall. These are inexpensive and common, even built into most SOHO routers.

So I know there will probably be flames, but if you write software firewalls, remember that the overwhelming majority of people who use them don't usually know they have one, and just ignore those little messages and click allow on everything until they actually read something and say "msimn.exe, what's that? I'm gonna block it!" And then they call me because their e-mail doesn't work.

One program breaks and it's an M$ issue? Nah.

[Behrooz]

...or instead of complaining to Microsoft, you can disable ZoneAlarm and enjoy having your connection work again. Cheap firewalls failing to perform exactly how you'd like them to is an old, old story.

Given the ridiculous profusion of budget 'security' software swarming around, it hardly seems fair to lay the blame on M$ when ZoneAlarm is the only program that this patch appears to conflict with.

Of course, if ZoneAlarm wasn't proprietary, we could go see where they screwed up. Maybe you should go harass them for being closed-source instead?