COMMAND
Zonealarm
SYSTEMS AFFECTED
WinNT, 9x
PROBLEM
Andrew Daviel found following. ZoneAlarm by zonelabs.com can
export possibly sensitive data if the "More Info" button is
clicked from an alert. ZoneAlarm is a personal dynamic firewall
for Windows 9x/NT. When a rule is triggered (typically an
inbound connection to an unregistered or alarmed service) an
alert box appears with a brief description of the event and a
button labelled "More Info". When this is clicked a URL is
passed to the user's Web browser sending information to Zone
Labs' server for more detailed explanation.
Currently (version 2.0.26) the information passed includes:
- Source Address and Port
- Destination Address and Port
- Operating system version
- Firewall version
- Whether the connection was blocked
- The lock status of the firewall
All this information is sent in clear as an HTTP GET request
(port 80). It could possibly be seen on the Internet in transit
or in proxy logs, and may include information about machines on
an internal network inside a corporate firewall. The request
itself could be blocked by ZoneAlarm, but it is likely that the
setting for the Web browser would allow it to access the external
network (Internet).
It should be noted that BlackICE Defender, a competitive product,
does precisely the same thing if one clicks on the "AdvICE"
button. Since the attack information displayed by the program's
graphical interface is quite brief (there's more in the log files,
but only sophisticated users will know how to find and read them),
users are strongly motivated to click the button. BlackICE
defender version 1.8.2.6 does not send anything "sensitive" in
nature. In version 1.96 they have fixed this they said so that
loggin is disabled by default.
SOLUTION
It is fairly simple to edit the .EXE file to disable this feature,
or to redirect it to a local server.