mailing list archives
Re: [sec-labs] Zone Alarm Device Driver vulnerability
From: Corey Bridges <cbridges () zonelabs com>
Date: 7 Aug 2003 02:27:41 -0000
In-Reply-To: <20030804214610.5a04e2e8.noreply () sec-labs hack pl>
Following is the official Zone Labs response to this report by Lord YuP.
Chief Editor of E-Communities
Zone Labs, Inc.
Zone Labs response to Device Driver Attack
OVERVIEW: This vulnerability describes a way to send unauthorized
commands to a Zone Labs device driver and potentially cause unexpected
behavior. This proof-of-concept exploit represents a relatively low risk
to Zone Labs users. It is a secondary exploit that requires physical
access to a machine or circumvention of other security measures included
in Zone Labs consumer and enterprise products to exploit. We are working
on a fix and will release it within 10 days.
EXPLOIT: The demonstration code is a proof-of-concept example that
describes a potential attack against the Zone Labs device driver that is
part of the TrueVector client security engine. In the exploit, a malicious
application sends unauthorized commands to this device driver. The author
also claims that this could potentially compromise system security. While
we have verified that unauthorized commands could be sent to the device
driver, we have not been able to verify that this exploit can actually
affect system security. The code sample published was intentionally
incomplete, to prevent malicious hackers from using it.
RISK: We believe that the immediate risk to users from this exploit is
low, for several reasons: this is a secondary attack, not a primary
vulnerability created or allowed by our product. Successful exploitation
of this vulnerability would require bypassing several other layers of
protection in our products, including the stealth firewall and/or MailSafe
email protection. To our knowledge, there are no examples of malicious
software exploiting this vulnerability. Further, the code sample was
written specifically to attack ZoneAlarm 3.1, an older version of our
SOLUTION: Security for our users is our first concern, and we take reports
of this kind seriously. We will be updating our products to address this
issue by further strengthening protection for our device driver and will
make these updates available in the next 10 days. Registered users who
have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus,
or ZoneAlarm Pro are informed by the software automatically whenever a new
software update is released. Zone Labs will provide guidance to Integrity
administrators regarding updating their client software.
CONTACT: Zone Labs customers who are concerned about the proof-of-concept
Device Driver Attack or have additional technical questions may reach our
Technical Support group at:
ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this
issue to our attention. However, we would prefer to be contacted at
security () zonelabs com prior to publication, in order to allow us to
address any security issues up front.