|
----- Original Message ----- From: "Corey Bridges" <cbridges@zonelabs.com> To: <bugtraq@securityfocus.com> Sent: Wednesday, August 06, 2003 6:27 PM Subject: Re: [sec-labs] Zone Alarm Device Driver vulnerability > In-Reply-To: <20030804214610.5a04e2e8.noreply@sec-labs.hack.pl> > > Following is the official Zone Labs response to this report by Lord YuP. > > > Corey Bridges > Chief Editor of E-Communities > Zone Labs, Inc. > (v) 415.341.8355 > (f) 415.341.8299 > > *** > > Zone Labs response to Device Driver Attack > > OVERVIEW: This vulnerability describes a way to send unauthorized > commands to a Zone Labs device driver and potentially cause unexpected > behavior. This proof-of-concept exploit represents a relatively low risk > to Zone Labs users. It is a "secondary" exploit that requires physical > access to a machine or circumvention of other security measures included > in Zone Labs consumer and enterprise products to exploit. We are working > on a fix and will release it within 10 days. > > EXPLOIT: The demonstration code is a proof-of-concept example that > describes a potential attack against the Zone Labs device driver that is > part of the TrueVector client security engine. In the exploit, a malicious > application sends unauthorized commands to this device driver. The author > also claims that this could potentially compromise system security. While > we have verified that unauthorized commands could be sent to the device > driver, we have not been able to verify that this exploit can actually > affect system security. The code sample published was intentionally > incomplete, to prevent malicious hackers from using it. > > RISK: We believe that the immediate risk to users from this exploit is > low, for several reasons: this is a secondary attack, not a primary > vulnerability created or allowed by our product. Successful exploitation > of this vulnerability would require bypassing several other layers of > protection in our products, including the stealth firewall and/or MailSafe > email protection. To our knowledge, there are no examples of malicious > software exploiting this vulnerability. Further, the code sample was > written specifically to attack ZoneAlarm 3.1, an older version of our > software. > > SOLUTION: Security for our users is our first concern, and we take reports > of this kind seriously. We will be updating our products to address this > issue by further strengthening protection for our device driver and will > make these updates available in the next 10 days. Registered users who > have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus, > or ZoneAlarm Pro are informed by the software automatically whenever a new > software update is released. Zone Labs will provide guidance to Integrity > administrators regarding updating their client software. > > CONTACT: Zone Labs customers who are concerned about the proof-of-concept > Device Driver Attack or have additional technical questions may reach our > Technical Support group at: > http://www.zonelabs.com/store/content/support/support.jsp > > ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this > issue to our attention. However, we would prefer to be contacted at > security@zonelabs.com prior to publication, in order to allow us to > address any security issues up front. > >