[ISN] Personal Firewalls Spring Security Leaks - Update

From: InfoSec News (isnat_private)
Date: Thu Nov 08 2001 - 04:13:08 PST

  • Next message: InfoSec News: "[ISN] Students crack bank pin codes"

    By Brian McWilliams, Newsbytes
    07 Nov 2001, 12:08 PM CST
    Software firewalls deployed by millions of PC users offer only
    "illusory" protection against Trojan horses and other malicious
    programs, security experts warned today.
    Techniques for defeating the outbound data filters in popular personal
    firewalls such as Zone Alarm and Norton Personal Firewall have been
    independently posted on the Web by several researchers. Using the
    methods described, a rogue program could upload private user data
    without being detected by the firewall, the experts claim.
    To evade a firewall's guards against unauthorized data leaks, the new
    techniques include commandeering a legitimate program such as
    Microsoft's Internet Explorer and forcing it to send out data on
    behalf of the attacker.
    "If a firewall is going to allow some program to transmit and receive
    data over the Internet, and that program allows other programs to
    control its actions, then there's no point in blocking anything at
    all," wrote Bob Sundling in text accompanying the source code of
    TooLeaky, a firewall test program he developed to demonstrate the
    FireHole, a similar testing tool, also has been made available on the
    Web by its author, Robin Keir, lead network security programmer with
    Foundstone, a computer security consulting firm. Both TooLeaky and
    FireHole sneak past personal firewalls and upload harmless test data
    to an external site.
    According to Gregor Freund, chief operating officer for Zone Labs,
    FireHole exploits a known security flaw in Windows referred to as
    SetWindowHookEx, which allows an application to insert code into
    another program.
    Freund said that Zone Labs will release an update to Zone Alarm next
    week that will provide limited protection against the bug on Windows
    NT, 2000, and XP systems. A more complete fix will be incorporated in
    the next full release of Zone Alarm, version 3.0, which is due in
    Freund said users can easily defeat the technique used by TooLeaky by
    configuring Zone Alarm to require Internet Explorer to ask permission
    every time it accesses the Internet.
    Keir told Newsbytes that other techniques are likely to be discovered
    for defeating outbound filtering, and that the development suggests
    that blocking leaks is "a race the firewall makers will never win."
    Nonetheless, Keir said he still believes personal firewalls are
    valuable for their ability to block incoming attacks.
    A third firewall test utility, YALTA, creates a virtual device driver
    that sends data to any Internet address without being detected by
    firewalls, according to a description of the program, which stands for
    Yet Another Leak Test Application.
    The new firewall testing utilities represent a second generation of
    such programs, building upon a tool developed by Gibson Research Corp.
    After GRC president Steve Gibson released LeakTest a year ago to
    highlight what he called "internal extrusion" flaws in personal
    firewalls, many vendors made changes to improve the outbound filtering
    techniques used in their firewall products.
    Product manager Tom Powledge told Newsbytes that Symantec was studying
    the new firewall bypass techniques and would likely revise Norton
    Personal Firewall to defend against them. But Powledge noted that
    computer users require anti-virus software and safe computing
    practices to prevent rogue programs from establishing a beachhead.
    "Once a hacker has code running on your computer, they have a
    tremendous amount of power. We've always said that effective Internet
    security is a combination of tactics," said Powledge.
    The firewall leak discoveries come the same week as an independent
    testing agency announced the results of its first certification tests
    of personal firewalls. ICSA Labs said three products passed its
    battery of tests, which included "restriction of outgoing network
    All three of the ICSA certified products, Zone Alarm, Norton Personal
    Firewall, and Tiny Software's Tiny Personal Firewall, can be defeated
    by the new outbound attacks in some circumstances, according to the
    authors of TooLeaky and FireHole. An ICSA representative said the firm
    was still testing the new tools and had no immediate comment.
    More information on FireHole is at http://keir.net/firehole.html .
    The TooLeaky home page is at http://tooleaky.zensoft.com .
    YALTA is available at
    http://www.soft4ever.com/security_test/En/index.htm .
    Gibson's LeakTest site is at http://grc.com/su-leaktest.htm .
    ICSA's Personal Firewall certification page is at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 10:21:09 PST