COMMAND

    Zonealarm

SYSTEMS AFFECTED

    WinNT, 9x

PROBLEM

    Andrew  Daviel  found  following.   ZoneAlarm  by zonelabs.com can
    export  possibly  sensitive  data  if  the  "More  Info" button is
    clicked from an alert.   ZoneAlarm is a personal dynamic  firewall
    for  Windows  9x/NT.   When  a  rule  is  triggered  (typically an
    inbound  connection  to  an  unregistered  or  alarmed service) an
    alert box  appears with  a brief  description of  the event  and a
    button  labelled  "More  Info".   When  this  is  clicked a URL is
    passed  to  the  user's  Web  browser  sending information to Zone
    Labs' server for more detailed explanation.

    Currently (version 2.0.26) the information passed includes:

        - Source Address and Port
        - Destination Address and Port
        - Operating system version
        - Firewall version
        - Whether the connection was blocked
        - The lock status of the firewall

    All  this  information  is  sent  in  clear as an HTTP GET request
    (port 80).  It could possibly  be seen on the Internet in  transit
    or in proxy  logs, and may  include information about  machines on
    an  internal  network  inside  a  corporate  firewall. The request
    itself could be  blocked by ZoneAlarm,  but it is  likely that the
    setting for the Web browser would allow it to access the  external
    network (Internet).

    It should be noted that BlackICE Defender, a competitive  product,
    does  precisely  the  same  thing  if  one  clicks on the "AdvICE"
    button.  Since the  attack information displayed by  the program's
    graphical interface is quite brief (there's more in the log files,
    but only sophisticated users will know how to find and read them),
    users  are  strongly  motivated  to  click  the  button.  BlackICE
    defender version  1.8.2.6 does  not send  anything "sensitive"  in
    nature.  In version  1.96 they have fixed  this they said so  that
    loggin is disabled by default.

SOLUTION

    It is fairly simple to edit the .EXE file to disable this feature,
    or to redirect it to a local server.