Sygate Security Bulletin SS20030221-0001

From: Elisha Riedlinger (elisha.riedlingerat_private)
Date: Mon Mar 03 2003 - 14:15:55 PST

Next message: Peter Bondra: "Buffer overflows, return address and offset"

Previous message: Gabriel A. Maggiotti: "gtali Segmentation fault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/21/2003 Sygate posted a Security Response to vuln-dev in response to an
advisory posted by Oliver Lavery (xenophi1e) <oliver.lavery at sympatico dot
com>.

When first responding to the advisory, it was believed that the
vulnerability was reporting that the Sygate Personal Firewall process itself
was vulnerable to evasion through the use of CreateRemoteThread(). Sygate
Security Bulletin SS20030221-0001 described protections that are in place to
prevent this type of evasion in the Sygate Personal Firewall Process itself.
After re-examining the vulnerability report and working with the reporter of
this vulnerability, Oliver Lavery, it was determined that the report
discussed the insertion of code into the address space of other
applications. 

The vulnerability advisory highlights the issue that a firewall restricting
network access on a per-application basis does not protect against many
types of application behavior, particularly those relating to how the
application interacts with the operating system.  Sygate Personal Firewall
determines which applications are authorized to send and receive traffic
based on MD5 hashes (also called fingerprints) of the executables, the .DLLs
used by the application and the associated firewall rules. If a malicious
program executes code within the address space of an authorized application,
that traffic will be allowed by the personal firewall.

The scope of the filtering technology within Sygate Personal Firewall does
not include monitoring the address space of a given process.  The
restriction of system and API calls in third-party applications is currently
outside of the scope of the network-based functionality of Sygate Personal
Firewall.

Sygate Personal Firewall employs a variety of technologies to protect a
computer, including trojan and network intrusion prevention to provide
several layers of network-based protection.  Sygate is developing new
technologies and will continue to work towards providing the most
comprehensive security solutions for our customers.

Elisha Riedlinger
Product Manager
Sygate Technologies, Inc.

Next message: Peter Bondra: "Buffer overflows, return address and offset"
Previous message: Gabriel A. Maggiotti: "gtali Segmentation fault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 14:33:03 PST