On 2/21/2003 Sygate posted a Security Response to vuln-dev in response to an advisory posted by Oliver Lavery (xenophi1e) <oliver.lavery at sympatico dot com>. When first responding to the advisory, it was believed that the vulnerability was reporting that the Sygate Personal Firewall process itself was vulnerable to evasion through the use of CreateRemoteThread(). Sygate Security Bulletin SS20030221-0001 described protections that are in place to prevent this type of evasion in the Sygate Personal Firewall Process itself. After re-examining the vulnerability report and working with the reporter of this vulnerability, Oliver Lavery, it was determined that the report discussed the insertion of code into the address space of other applications. The vulnerability advisory highlights the issue that a firewall restricting network access on a per-application basis does not protect against many types of application behavior, particularly those relating to how the application interacts with the operating system. Sygate Personal Firewall determines which applications are authorized to send and receive traffic based on MD5 hashes (also called fingerprints) of the executables, the .DLLs used by the application and the associated firewall rules. If a malicious program executes code within the address space of an authorized application, that traffic will be allowed by the personal firewall. The scope of the filtering technology within Sygate Personal Firewall does not include monitoring the address space of a given process. The restriction of system and API calls in third-party applications is currently outside of the scope of the network-based functionality of Sygate Personal Firewall. Sygate Personal Firewall employs a variety of technologies to protect a computer, including trojan and network intrusion prevention to provide several layers of network-based protection. Sygate is developing new technologies and will continue to work towards providing the most comprehensive security solutions for our customers. Elisha Riedlinger Product Manager Sygate Technologies, Inc.
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 14:33:03 PST