Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Zonealarm exports sensitive data
From: slayer67 () APK NET (Dino Amato)
Date: Wed, 1 Mar 2000 07:15:50 -0500


in version 1.96 they have fixed this they said so that loggin is disabled by
default.
Fromrelease notes.

RELEASE 1.9.6 (this release)

. Issue:  ICEcap reporting can be inadvertently turned on without user
  user knowledge.

  Resolution:  Fixed.  ICEcap reporting has been disabled on this
  release.  The entries inadvertently added in blackice.ini are
  automatically removed by this version of BlackICE.

----- Original Message -----
From: Lampe, John W. <JWLAMPE () GAPAC COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Monday, February 28, 2000 1:30 PM
Subject: Re: Zonealarm exports sensitive data

Actually blackICE defender version 1.8.2.6 does not send anything
"sensitive" in nature.  What I captured was such:
1) 3 way handshake
2) GET <A 
HREF="http://advice.networkice.com/advice/Intrusions/<number">http://advice.networkice.com/advice/Intrusions/<number</A>>
3) Error 302 ("Object Moved")
    Location: <same as above but add "/" after <number>  >
4) GET <A 
HREF="http://advice.networkice.com/advice/Intrusions/<number">http://advice.networkice.com/advice/Intrusions/<number</A>>/
5) page is sent.

Can you tell me which version you're running?

John Lampe

----------
From: Brett Glass[SMTP:brett () LARIAT ORG]
Reply To: Brett Glass
Sent: Friday, February 25, 2000 8:17 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Zonealarm exports sensitive data

It should be noted that BlackICE Defender, a competitive product,
does precisely the same thing if one clicks on the "AdvICE" button.
Since the attack information displayed by the program's graphical
interface is quite brief (there's more in the log files, but
only sophisticated users will know how to find and read them),
users are strongly motivated to click the button.

I do not know whether the URLs sent by either product are being
used to gather statistics on the frequency of attacks or as a
means of piracy detection. They certainly could be, if the vendors
had a mind to do so.

--Brett Glass

At 12:40 AM 2/25/2000 , Andrew Daviel wrote:

ZoneAlarm by zonelabs.com can export possibly sensitive data if
the "More Info" button is clicked from an alert.

ZoneAlarm is a personal dynamic firewall for Windows 9x/NT.
When a rule is triggered (typically an inbound connection to
an unregistered or alarmed service) an alert box appears with a brief
description of the event and a button labelled "More Info". When this
is clicked a URL is passed to the user's Web browser sending information
to Zone Labs' server for more detailed explanation.

Currently (version 2.0.26) the information passed includes:
Source Address and Port
Destination Address and Port
Operating system version
Firewall version
Whether the connection was blocked
The lock status of the firewall

All this information is sent in clear as an HTTP GET request (port 80).

It could possibly be seen on the Internet in transit or in proxy logs,
and
may include information about machines on an internal network inside a
corporate firewall. The request itself could be blocked by ZoneAlarm, but
it is likely that the setting for the Web browser would allow it to
access
the external network (Internet).

It is fairly simple to edit the .EXE file to disable this feature, or
to redirect it to a local server.

(IMO the benefits from using the product outweigh the risks of this data
leak....)

Andrew Daviel
Vancouver Webpages etc.



Thanks,

John Lampe



  By Date           By Thread  

Current thread:
  • Re: Zonealarm exports sensitive data Dino Amato (Mar 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]