Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [sec-labs] Zone Alarm Device Driver vulnerability
From: Corey Bridges <cbridges () zonelabs com>
Date: 7 Aug 2003 02:27:41 -0000

In-Reply-To: <20030804214610.5a04e2e8.noreply () sec-labs hack pl>

Following is the official Zone Labs response to this report by Lord YuP. 

Corey Bridges
Chief Editor of E-Communities
Zone Labs, Inc.
(v) 415.341.8355 
(f) 415.341.8299 


Zone Labs response to Device Driver Attack

OVERVIEW:  This vulnerability describes a way to send unauthorized 
commands to a Zone Labs device driver and potentially cause unexpected 
behavior. This proof-of-concept exploit represents a relatively low risk 
to Zone Labs users.  It is a “secondary” exploit that requires physical 
access to a machine or circumvention of other security measures included 
in Zone Labs consumer and enterprise products to exploit. We are working 
on a fix and will release it within 10 days.

EXPLOIT: The demonstration code is a proof-of-concept example that 
describes a potential attack against the Zone Labs device driver that is 
part of the TrueVector client security engine. In the exploit, a malicious 
application sends unauthorized commands to this device driver. The author 
also claims that this could potentially compromise system security. While 
we have verified that unauthorized commands could be sent to the device 
driver, we have not been able to verify that this exploit can actually 
affect system security. The code sample published was intentionally 
incomplete, to prevent malicious hackers from using it. 

RISK: We believe that the immediate risk to users from this exploit is 
low, for several reasons: this is a secondary attack, not a primary 
vulnerability created or allowed by our product. Successful exploitation 
of this vulnerability would require bypassing several other layers of 
protection in our products, including the stealth firewall and/or MailSafe 
email protection. To our knowledge, there are no examples of malicious 
software exploiting this vulnerability. Further, the code sample was 
written specifically to attack ZoneAlarm 3.1, an older version of our 

SOLUTION: Security for our users is our first concern, and we take reports 
of this kind seriously. We will be updating our products to address this 
issue by further strengthening protection for our device driver and will 
make these updates available in the next 10 days. Registered users who 
have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus, 
or ZoneAlarm Pro are informed by the software automatically whenever a new 
software update is released. Zone Labs will provide guidance to Integrity 
administrators regarding updating their client software.

CONTACT: Zone Labs customers who are concerned about the proof-of-concept 
Device Driver Attack or have additional technical questions may reach our 
Technical Support group at: 

ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this 
issue to our attention. However, we would prefer to be contacted at 
security () zonelabs com prior to publication, in order to allow us to 
address any security issues up front.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]