----- Original Message -----
From: "Corey Bridges" <cbridges@zonelabs.com>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, August 06, 2003 6:27 PM
Subject: Re: [sec-labs] Zone Alarm Device Driver vulnerability


> In-Reply-To: <20030804214610.5a04e2e8.noreply@sec-labs.hack.pl>
>
> Following is the official Zone Labs response to this report by Lord YuP.
>
>
> Corey Bridges
> Chief Editor of E-Communities
> Zone Labs, Inc.
> (v) 415.341.8355
> (f) 415.341.8299
>
> ***
>
> Zone Labs response to Device Driver Attack
>
> OVERVIEW:  This vulnerability describes a way to send unauthorized
> commands to a Zone Labs device driver and potentially cause unexpected
> behavior. This proof-of-concept exploit represents a relatively low risk
> to Zone Labs users.  It is a "secondary" exploit that requires physical
> access to a machine or circumvention of other security measures included
> in Zone Labs consumer and enterprise products to exploit. We are working
> on a fix and will release it within 10 days.
>
> EXPLOIT: The demonstration code is a proof-of-concept example that
> describes a potential attack against the Zone Labs device driver that is
> part of the TrueVector client security engine. In the exploit, a malicious
> application sends unauthorized commands to this device driver. The author
> also claims that this could potentially compromise system security. While
> we have verified that unauthorized commands could be sent to the device
> driver, we have not been able to verify that this exploit can actually
> affect system security. The code sample published was intentionally
> incomplete, to prevent malicious hackers from using it.
>
> RISK: We believe that the immediate risk to users from this exploit is
> low, for several reasons: this is a secondary attack, not a primary
> vulnerability created or allowed by our product. Successful exploitation
> of this vulnerability would require bypassing several other layers of
> protection in our products, including the stealth firewall and/or MailSafe
> email protection. To our knowledge, there are no examples of malicious
> software exploiting this vulnerability. Further, the code sample was
> written specifically to attack ZoneAlarm 3.1, an older version of our
> software.
>
> SOLUTION: Security for our users is our first concern, and we take reports
> of this kind seriously. We will be updating our products to address this
> issue by further strengthening protection for our device driver and will
> make these updates available in the next 10 days. Registered users who
> have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus,
> or ZoneAlarm Pro are informed by the software automatically whenever a new
> software update is released. Zone Labs will provide guidance to Integrity
> administrators regarding updating their client software.
>
> CONTACT: Zone Labs customers who are concerned about the proof-of-concept
> Device Driver Attack or have additional technical questions may reach our
> Technical Support group at:
> http://www.zonelabs.com/store/content/support/support.jsp
>
> ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this
> issue to our attention. However, we would prefer to be contacted at
> security@zonelabs.com prior to publication, in order to allow us to
> address any security issues up front.
>
>