('binary' encoding is not supported, stored as-is) In-Reply-To: <20030804214610.5a04e2e8.noreply@sec-labs.hack.pl> Following is the official Zone Labs response to this report by Lord YuP. Corey Bridges Chief Editor of E-Communities Zone Labs, Inc. (v) 415.341.8355 (f) 415.341.8299 *** Zone Labs response to Device Driver Attack OVERVIEW: This vulnerability describes a way to send unauthorized commands to a Zone Labs device driver and potentially cause unexpected behavior. This proof-of-concept exploit represents a relatively low risk to Zone Labs users. It is a “secondary” exploit that requires physical access to a machine or circumvention of other security measures included in Zone Labs consumer and enterprise products to exploit. We are working on a fix and will release it within 10 days. EXPLOIT: The demonstration code is a proof-of-concept example that describes a potential attack against the Zone Labs device driver that is part of the TrueVector client security engine. In the exploit, a malicious application sends unauthorized commands to this device driver. The author also claims that this could potentially compromise system security. While we have verified that unauthorized commands could be sent to the device driver, we have not been able to verify that this exploit can actually affect system security. The code sample published was intentionally incomplete, to prevent malicious hackers from using it. RISK: We believe that the immediate risk to users from this exploit is low, for several reasons: this is a secondary attack, not a primary vulnerability created or allowed by our product. Successful exploitation of this vulnerability would require bypassing several other layers of protection in our products, including the stealth firewall and/or MailSafe email protection. To our knowledge, there are no examples of malicious software exploiting this vulnerability. Further, the code sample was written specifically to attack ZoneAlarm 3.1, an older version of our software. SOLUTION: Security for our users is our first concern, and we take reports of this kind seriously. We will be updating our products to address this issue by further strengthening protection for our device driver and will make these updates available in the next 10 days. Registered users who have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus, or ZoneAlarm Pro are informed by the software automatically whenever a new software update is released. Zone Labs will provide guidance to Integrity administrators regarding updating their client software. CONTACT: Zone Labs customers who are concerned about the proof-of-concept Device Driver Attack or have additional technical questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this issue to our attention. However, we would prefer to be contacted at securityat_private prior to publication, in order to allow us to address any security issues up front.
This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 14:20:49 PDT