Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Security Patch Blocks Net Access For ZoneAlarm Users

timothy posted about 6 years ago | from the oh-there-can't-be-more-than-a-handful dept.

Bug 110

An anonymous reader writes "Users of Check Point ZoneAlarm security products, including the extremely popular, free-of-charge software firewall, have discovered that a Microsoft security update released on Tuesday has blocked their internet access. The firewall manufacturer is 'investigating the issue,' and so far the workaround seems to be to uninstall the recent DNS spoofing vulnerability fix MS08-037 (KB951748), and not reinstall it until Microsoft or Check Point have come up with updated versions of their products."

cancel ×

110 comments

And this is a bad thing how? (4, Funny)

trolltalk.com (1108067) | about 6 years ago | (#24123419)

a Microsoft security update released on Tuesday has blocked their internet access.

... it certainly makes their computers less prone to being hacked on the net ...

Re:And this is a bad thing how? (5, Funny)

Floritard (1058660) | about 6 years ago | (#24123505)

So the headline should have read:

"MS Security Patch perfects ZoneAlarm firewall"

Re:And this is a bad thing how? (4, Interesting)

Spy der Mann (805235) | about 6 years ago | (#24123659)

... it certainly makes their computers less prone to being hacked on the net ...

I know you wrote it as a joke, but it gets me thinking on the proprietary software problem again (yeah yeah, I know, more anti-MS babbling). The risk of having your operating system suddenly lose internet access completely is inadmissible. Since Windows is a closed-source product, only the maker (Microsoft) knows how to fix vulnerabilities. And if they screw up, like in this case, we have to depend on them to fix the problem. Either you lose internet access, or still are vulnerable to the DNS exploit.

Re:And this is a bad thing how? (5, Informative)

SQLGuru (980662) | about 6 years ago | (#24123901)

You make the immediate assumption that it was a problem with the MS Patch. I'll wait until the final news release about the subject, in case it's an issue with Zone Alarm. Why is Zone Alarm the only firewall with this problem (so far)? Is Zone Alarm firewall released as open source? Free != Open Source. Your same argument against MS can just as easily be applied to Check Point.

Layne

But.. (2, Funny)

Anonymous Coward | about 6 years ago | (#24124097)

But this is Slashdot.. ofcource it is Microsoft's fault.

Re:And this is a bad thing how? (2, Insightful)

Anonymous Coward | about 6 years ago | (#24124987)

What changed?

It's not a hard question and, thus, not a surprising answer when Microsoft is blamed.

AND you are absolutely correct about Check Point NOT being open source themselves; if they were it might also present a path to the resolution.

Otherwise, my bet is that:
  1. Zone-Alarm expects a portion of MS's network stack to behave in a certain way and it has now changed,
  2. Microsoft broke changed something in their API, or as I suspect
  3. Zone-Alarm mis-interpreted the API or poorly coded to it.

Re:And this is a bad thing how? (-1, Troll)

thetoadwarrior (1268702) | about 6 years ago | (#24125635)

If the patch changes the behaviour then the patch probably caused the problem. You could argue that Zone Alarm was poorly coded but then again why was MS' product allowing them to write bad code in the first place.

I know most casual users think an OS should have everything they need but MS really should cut out all the crap and focus on a rock solid OS that doesn't allow sloppy coding because yes it is their fault still even if ZA was poorly coded just as you'd also be in trouble if you sit by quietly and allowed your partner to molest children or worse yet vote for McCain.

Re:And this is a bad thing how? (2, Insightful)

snoyberg (787126) | about 6 years ago | (#24127767)

I think his main argument is just against proprietary (ie, non-open source) software, meaning that regardless of who's to blame here, this is an example of why FOSS is better.

Re:And this is a bad thing how? (1)

Spy der Mann (805235) | about 6 years ago | (#24128713)

I think his main argument is just against proprietary (ie, non-open source) software, meaning that regardless of who's to blame here, this is an example of why FOSS is better.

Exactly! That's what I wanted to say.

(whew, that was close!)

Re:And this is a bad thing how? (2, Insightful)

hyperquantization (804651) | about 6 years ago | (#24130087)

Agreed, but only when the corporation who owns the source is incompetent. So to blanket all proprietary software, IMHO, is rather unfair. Either way, unless you're spending your own time developing the software, you're trusting somebody; if not a single corporation, then the Open Source Community. The point is, it's really just up to you, the user, to decide who you trust more.

Re:And this is a bad thing how? (1)

snoyberg (787126) | about 6 years ago | (#24133557)

The difference is that if the original developer on an open source project quits, you could hire someone to take the code and continue working on it. That might not sound feasible to an individual, but it might sound very good to a corporation.

Re:And this is a bad thing how? (1)

punissuer (1036512) | about 6 years ago | (#24129401)

You make the immediate assumption that it was a problem with the MS Patch.

In my book, it was a problem with the MS Patch. MS of all companies should know that they aren't releasing software into a vacuum, that they have to play nice with existing software. They should have noticed this update's incompatibility with ZoneAlarm before releasing it. They deserve a stinging slap on the wrist for not mentioning ZA in their knowledge base article about the update, and for not even mentioning DNS in the Automatic Update dialog. If it weren't for the article about the coordinated DNS patch on /. yesterday, my XP Home system might still be unable to use the net.

Re:And this is a bad thing how? (2, Insightful)

jeebusroxors (812064) | about 6 years ago | (#24132341)

So MS has to test their updates with EVERY piece of software that _may_ be used? It seems more likely that this is a ZA problem. Plus I'm willing to bet that the Windows firewall alone (that's still included right?) works just fine.

Re:And this is a bad thing how? (1)

goofyspouse (817551) | about 6 years ago | (#24137397)

Whoa, whoa, whoa...has ANYONE ever claimed that the built-in Windows firewall "works just fine"?

Re:And this is a bad thing how? (3, Funny)

quonsar (61695) | about 6 years ago | (#24124419)

The risk of having your operating system suddenly lose internet access completely is inadmissible.

They should have gotten a warrant?

Re:And this is a bad thing how? (2)

ToasterMonkey (467067) | about 6 years ago | (#24126915)

Are you trying to somehow credit open source software with bringing together disparate development teams on total different projects to test & QA their software releases together? That's insane.

Be realistic, whatever system-wide stability advantage Linux (the OS) has is because of the centralized distribution model now commonly used, and can be credited solely to the maintainers of said distribution. Even the centralization hasn't been all that great until recent years, and you still have to use caution installing anything outside your "package manager". For sure, Free software helps when doing system-wide integration testing, but it is absolutely not required to get the same levels of stability as Linux. Another method might be, I don't know... maintaining a well documented, backwards compatible programming interfaces, or issuing updates to partners in advance so they could get some QA cycles in?

Since Windows is a closed-source product, only the maker (Microsoft) knows how to fix vulnerabilities.

Just stop, YOU don't know how to fix most vulnerabilities, and probably wouldn't accept a patch from some random neighbor either. You line up in front of your vendor and take what you can get like anyone else.

If you happen to be one of the few who writes your own fixes for the open source software you use, kudos, you're one in a million.

One program breaks and it's an M$ issue? Nah. (5, Insightful)

Behrooz (302401) | about 6 years ago | (#24127207)

...or instead of complaining to Microsoft, you can disable ZoneAlarm and enjoy having your connection work again. Cheap firewalls failing to perform exactly how you'd like them to is an old, old story.

Given the ridiculous profusion of budget 'security' software swarming around, it hardly seems fair to lay the blame on M$ when ZoneAlarm is the only program that this patch appears to conflict with.

Of course, if ZoneAlarm wasn't proprietary, we could go see where they screwed up. Maybe you should go harass them for being closed-source instead?

Re:One program breaks and it's an M$ issue? Nah. (2, Interesting)

Spy der Mann (805235) | about 6 years ago | (#24128735)

...or instead of complaining to Microsoft, you can disable ZoneAlarm and enjoy having your connection work again.

Touché. I'd mod you up. Anyway, now that you mention it... the point of zonealarm is that the default firewall that comes with Windows is terribly insecure. It's interesting how a proprietary OS ends up spawning a lot of proprietary firewall and antivirus software.

My point? No point, it's just interesting to see how proprietary spawns proprietary... as if they were living beings.

Re:One program breaks and it's an M$ issue? Nah. (1)

dknj (441802) | about 6 years ago | (#24133879)

you are clearly forgetting that disassembled code is still code. you could just as easily find out what zonealarm screwed up, it just takes more time. what's the difference between open-source and closed-source? comments and clearly defined coding structures.

i wrote a 3d engine when i was 12. i wrote cryptic comments, had a bunch of variables named d0 d1 d2 etc, and had function names like TheHackFunction. my friend saw my engine and wanted to use it for his game, so i gave it to him in the spirit of open-source. it took him a day to trace down a bug. he told me about it and i knew exactly what the problem was and i fixed the same bug (and 2 others!) in 15 minutes.

with that said, am i the only one that always keeps a copy of softice nearby to patch pesky 'vulnerabilities' in proprietary applications?

softice + closed-source apps FTW

Re:And this is a bad thing how? (0)

Anonymous Coward | about 6 years ago | (#24130603)

Do you do a code review of all your OSS/Free software and install from source?

I didn't think so, because I doubt your name isn't Theo.

So in this case OSS/Free is just as good at closed because your still taking the word of some other asshole.

Re:And this is a bad thing how? (0)

Anonymous Coward | about 6 years ago | (#24131929)

OK, I buy that the system losing internet access is inadmissible. But why is this a problem only for proprietary software? When I upgraded OVER THE NET from Ubuntu 6.04 to 7.02 it decided I had no network card and hence no network. This was supposedly a completely successful upgrade.

I imagine that should be just as inadmissible. I don't believe for a minute that this type of problem is "ooh, teh evil proprietary software". It is everyone in the industry's problem to work on and fix. In this particular case, Check Point was probably getting an advantage by not following some specification and making use of a subtle flaw that existed in the DNS stack. One of the things everyone - proprietary and OSS should remember is to only code to the published API specifications if you expect your app to work after an update to the OS.

A lot more than Microsoft (4, Informative)

suso (153703) | about 6 years ago | (#24125535)

We have a Cisco ASA at work for a large enterprise and about 2 hours after I applied the patch to our DNS servers running BIND, they the ASA device blackholed the DNS servers. Wasn't a fun day really.

Re:And this is a bad thing how? (1)

sjames (1099) | about 6 years ago | (#24128791)

Or at least keeps their bot infested piece of junk from spamming the rest of us. :-)

Re:And this is a bad thing how? (0)

Anonymous Coward | about 6 years ago | (#24129411)

Not really.

If it's a DNS issue then they can't access most of the net since most of the user visible parts of the net are name based. It does not mean their computer is not accessible from the outside by IP nor does it mean that anything that does not use DNS can't connect. Whoa, lots of negatives in there but it's grammatically correct... I think...

other workaround (5, Informative)

TheSHAD0W (258774) | about 6 years ago | (#24123435)

Set Zonealarm's security level to "medium".

Re:other workaround (0, Informative)

Anonymous Coward | about 6 years ago | (#24123787)

Or uninstall zonealarm completely.

Re:other workaround (0)

Anonymous Coward | about 6 years ago | (#24124929)

I thought Billy G. retired, why is he posting here?

Re:other workaround (0)

Anonymous Coward | about 6 years ago | (#24123861)

I work for an ISP and we have a machine in here right now with Zone Alarm that wasn't able to browse. Set the "internet" Zone to 'Medium' and it worked fine so I can vouch for this fix.

Another workaround (3, Interesting)

martinw89 (1229324) | about 6 years ago | (#24124035)

Why not take this time to try out something new [comodo.com] ?

Re:Another workaround (2, Interesting)

Goldberg's Pants (139800) | about 6 years ago | (#24124341)

I've tried multiple firewalls over the years, including that one, and had a variety of issues ranging from general system stability problems to constant BSOD's. So much so I don't even bother anymore. I'm behind a router. I know it's not perfect, but having one less buggy, unstable program in the background makes life a lot nicer.

Off the top of my head I tried ZoneAlarm, both old and new versions, Tiny Personal Firewall, the prior TPF that had a different name, and several others.

Just not worth the aggravation.

Re:Another workaround (1)

ChrisLynx (102341) | about 6 years ago | (#24129023)

Now that's a descriptive product name!

Comodo: flush those bad packets away!

*If you don't get why this is funny, see
http://www.merriam-webster.com/dictionary/commode [merriam-webster.com]
definitions 2c and 2d :)

Re:other workaround (0)

Anonymous Coward | about 6 years ago | (#24124223)

That's something necessary for online gaming anyways. I was curious as to why I didn't get blocked after the update, now I know.

Re:other workaround (-1)

Anonymous Coward | about 6 years ago | (#24124229)

... or leave the Internet Zone Security on high and click the "custom" button.
Add a check to "Enable incoming TCP ports" and add ports 25,80,110,443,465,995
Add a check to "Enable outgoing TCP ports" and add ports 25,80,110,443,465,995
Click "apply" after each change

Re:other workaround (2, Informative)

MikeBabcock (65886) | about 6 years ago | (#24127209)

That would be horrifically stupid -- don't EVER enable incoming TCP ports like those unless you know what you're doing. Outbound ports are you connecting out, but inbound ports allow anyone on the internet to try and connect to you on those ports, none of which relate to DNS lookups -- that would be port 53 (UDP and/or rarely TCP).

Re:other workaround (0)

Anonymous Coward | about 6 years ago | (#24129567)

Although Goldberg's Pants said s/he was behind a router, I think it's actually a NAT unit. That makes more sense in the context of what was said. As such, MikeBabcock's comment about enabling incoming TCP ports is off target. For hosts not in the "demilitarized zone", which is to say, all hosts in the usual case, NAT units prevent incoming connections other than those which have been explicitly enabled.

NAT units do provide some protection against inbound connection attacks. They provide no protection against compromised machines making unwarranted outbound connections, and this is what makes a "personal firewall" worth contemplating.

Re:other workaround (1)

kayditty (641006) | about 6 years ago | (#24130127)

Uh, 'inbound port 53' doesn't relate to DNS look-ups, unless you're running a nameserver, or have a really flawed resolver. 53/tcp for DNS isn't rare. It's used for all kinds of things: long query responses and AXFR/IXFR transfers for nameservers, off the top of my head. The first one relates directly to client usage, as well.

I have to wonder what the grandparent is on about, though. Enabling inbound SMTP, pop3 + pop3s, SMB over TCP, HTTP, and SMTP over SSL makes no sense whatsoever. Quite a funny post, guy!!

Re:other workaround (1)

goombah99 (560566) | about 6 years ago | (#24125561)

Set Zonealarm's security level to "medium".

For those of you using the GUI, that's the checkbox next to the goatse icon.

Re:other workaround (2, Insightful)

Anonymous Coward | about 6 years ago | (#24127931)

Don't you think it's hard to take a security product seriously when its settings are "high", "medium", and "low"?

Not that other products are any better...

Thanks for the "update" (1)

snl2587 (1177409) | about 6 years ago | (#24123437)

Crap! Here come the phone calls asking for tech support...I think I'll turn off my phone for a bit...

Re:Thanks for the "update" (1)

Bomarc (306716) | about 6 years ago | (#24123491)

... and this /. story explains my brothers phone call late last night.

Re:Thanks for the "update" (1)

clone53421 (1310749) | about 6 years ago | (#24123669)

Crap! Here come the phone calls asking for tech support...I think I'll turn off my phone for a bit...

Kind of like a firewall for your telephone, eh?

Scheme for Microsoft spyware (-1, Troll)

ShadowWraith (1322747) | about 6 years ago | (#24123483)

Doesn't this seem as if Microsoft wants to weaken people's firewalls for evil purposes? Microsoft can make a lot of money selling exploits to "data mining" companies.

Re:Scheme for Microsoft spyware (1)

Apple Acolyte (517892) | about 6 years ago | (#24123565)

I'd agree with you there. Otherwise you have to attribute it to really poor M$ QA, which is just slightly less believable.

Re:Scheme for Microsoft spyware (1)

Paradigm_Complex (968558) | about 6 years ago | (#24125725)

If you're joking it's not funny, and if you're serious you're mistaken. MS has a history of doing stupid/evil things, but they're smart enough to know where the line is. MS can only dance around the law so much. Consider: As the usefulness of the exploit fades, a sneaky "Data mining" company could make even more money selling/abusing the knowledge of what MS did. Best MS could do is claim it was a (number of) rogue employee(s), but even so it's an unnecessary loss and risk. It won't bring in enough cash to even be noticeable compared to their OS or office software incomes, and it won't somehow stop their sliding market share in either market. But it could potentially cause them to bleed millions or even billions if they fail in delegating the blame to a couple of pawns.

Re:Scheme for Microsoft spyware (1)

edittard (805475) | about 6 years ago | (#24132533)

Hey Bill, why don't you STFU and concentrate on giving away your ill-gotten gains? kthxbye.

Girlfriends Comp (1)

elemnt14 (1319289) | about 6 years ago | (#24123485)

So that what was causing the issue. I spend almost an hour trying to figure out what went wrong. Funny thing is she suggested it was ZA. Uninstalled and got net back online. I demand a refund for my wasted hour!

Re:Girlfriends Comp (1)

pxc (938367) | about 6 years ago | (#24123645)

After you found out it was ZoneAlarm, you should have pretended it was something else and changed that, too.

What? Somebody's gotta keep your girlfriend in line, and I sure ain't got time!

Re:Girlfriends Comp (1)

AkaKaryuu (1062882) | about 6 years ago | (#24123931)

You wasted 4 minutes of my life and I want them back. /moleman

You're doing it WRONG (0)

Anonymous Coward | about 6 years ago | (#24126245)

You should have uninstalled Pista.

BTW-for those unsure if you're broken (3, Funny)

faloi (738831) | about 6 years ago | (#24123497)

If you're reading this article from a machine in question, you're not broken.

Now please don't call me asking if it's something you should worry about.

Re:BTW-for those unsure if you're broken (4, Funny)

gEvil (beta) (945888) | about 6 years ago | (#24123655)

I'm pretty sure the computer I'm on right now is affected by this problem. Tell me what I need to do to fix it. It's a G5 iMac running Microsoft Tiger. The problem started when I updated Internet Safari. Please help!!!

Re:BTW-for those unsure if you're broken (1)

belthize (990217) | about 6 years ago | (#24126641)

    How do you normally log onto the internet ? Did you check you don't have capslock on that happened to me once. It might just be

    A friend of mine said he had the same problem and upgraded to Office 2008, I think he said, and that fixed it.

Belthize

Re:BTW-for those unsure if you're broken (1)

pklinken (773410) | about 6 years ago | (#24131279)

Argh, Technologyhypochondriacs!

Re:BTW-for those unsure if you're broken (1)

jeebusroxors (812064) | about 6 years ago | (#24132423)

It could be:
#127 - Sticky bits on the disk.

or

#237 - Plate voltage too low on demodulator tube.

Re:BTW-for those unsure if you're broken (1)

BlueStrat (756137) | about 6 years ago | (#24134717)

#237 - Plate voltage too low on demodulator tube.

Now you've done it!

Poor confused users will now be calling their senators, ISPs and their great-uncles that were TV repair techs in the '60s.

Cheers!

Strat

Re:BTW-for those unsure if you're broken (0)

Anonymous Coward | about 6 years ago | (#24124065)

Actually, OP was wrong. You ARE broken. Everyone please call OP repeatedly asking how to fix it.

OP: enjoy your new friends. =)

Re:BTW-for those unsure if you're broken (1)

Fnord666 (889225) | about 6 years ago | (#24125099)

Is this something I should worry about?

Re:BTW-for those unsure if you're broken (1)

Cro Magnon (467622) | about 6 years ago | (#24125301)

Now please don't call me asking if it's something you should worry about.

Okay, I'll just ask by email.

Security through obscurity (1)

the4thdimension (1151939) | about 6 years ago | (#24123507)

Obscure the computer from the internet and its secure!

Good idea MS!!

In all Fairness to Microsoft (5, Informative)

docstrange (161931) | about 6 years ago | (#24123747)

This patch was not designed to patch a Microsoft flaw, but instead a vulnerability in nearly all implementations of DNS. So far over 100 vendors have patched their products and coordinated the release of this workaround. If zone alarm is broken because of this change they need to adjust their product to work with this change, not the other way around.

I've taken this snippet from: http://isc.sans.org/diary.html?storyid=4687 [sans.org] which explains things in a little more detail. Full details won't be disclosed until Blackhat in vegas this August.

The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked:

who sent the response? Was it the DNS server we sent the request to?
for this particular response, do we have an outstanding request?
each request uses a unique and random query ID. The response has to use the same query ID.
The response has to be sent to the same port from which the request was sent.
Only if all this matches, the response is accepted. The first valid response wins. If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.

Re:In all Fairness to Microsoft (1)

JCSoRocks (1142053) | about 6 years ago | (#24124513)

Well at least *someone* remembers the stories that were posted just a few days ago...

Wow thank you (1)

jasonmanley (921037) | about 6 years ago | (#24124621)

Dude that was such a cool breakdown of the situation. I love it when people do that - someone did that the other day with the post about the gpcode virus and how it does it encryption etc and it was an eye opener.

Re:In all Fairness to Microsoft (1)

nategoose (1004564) | about 6 years ago | (#24124657)

In all Fairness to Microsoft

How could you?

Re:In all Fairness to Microsoft (1)

mr_mischief (456295) | about 6 years ago | (#24124837)

If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.

It'd also work if the attacker was able to sniff that packet in the first place, of course, and with a much higher probability.

DNS over TCP for queries as well as zone transfers has long been an option for most DNS servers. Enabling that as the default would seem to be a secure enough fix, although with more overhead than UDP.

I haven't taken the time to see what this new recommended fix does. Anyone have details on how it makes the query response harder to fake?

Re:In all Fairness to Microsoft (4, Informative)

Simon (S2) (600188) | about 6 years ago | (#24126015)

I haven't taken the time to see what this new recommended fix does. Anyone have details on how it makes the query response harder to fake?

Sure. The security update [microsoft.com] addresses the vulnerabilities by using strongly random DNS transaction IDs, using random sockets for UDP queries, and updating the logic used to manage the DNS cache.

Re:In all Fairness to Microsoft (1)

Mushdot (943219) | about 6 years ago | (#24125767)

Cheers for the explanation! I've just got online after closing Zone Alarm down.

I think one problem is going to be the fact Zone Alarm can't check for updates when it has started, so it's going to be a bit difficult to auto roll a fix out?

Re:In all Fairness to Microsoft (1)

J_Doh! (830090) | about 6 years ago | (#24127337)

Short term work around. Set the internet security zone to medium. Make sure your behind a hardware firewall though. Just tried it, and it worked.

Re:In all Fairness to Microsoft (1)

cjacobs001 (644842) | about 6 years ago | (#24128305)

Haven't we known about this vulnerability for years ?

Re:In all Fairness to Microsoft (1)

Ritchie70 (860516) | about 6 years ago | (#24128495)

Thanks! I was just reviewing the Microsoft patch at work today - evaluating what category it should go into ("OMG NOW NOW NOW", "Soon", "Next Release", "Never.")

That helps a lot with understanding it. (I said "Next Release", by the way.)

Not just Zone Alarm (1)

jimbobborg (128330) | about 6 years ago | (#24124251)

From articles I've read on the subject, a LOT of the personal firewalls for Windows PCs are having this problem.

Why are we blaming Microsoft? (3, Insightful)

Alereon (660683) | about 6 years ago | (#24124785)

Why are we assuming that this is a defect in the Microsoft patch, rather than a defect in the security software? I think it's much more likely that the software firewall application (which tend to be pretty skeevy in general, see Norton Internet Security) is inappropriately blocking access than that Microsoft screwed up the patch. From my (admittedly vague) understanding of the issue, I'm guessing that the firewall software whitelists outgoing UDP requests from port 53, and the new randomized ports are being blocked, preventing DNS queries from succeeding. I know blaming Microsoft is fun, but blaming even crappier software vendors is more fun :)

Re:Why are we blaming Microsoft? (3, Insightful)

Paradigm_Complex (968558) | about 6 years ago | (#24126007)

Why are you assuming that we're assuming? Vista got a lot more heat than it really deserved, often by people who know better. However, much of the public at large believed the complaints. Most non-technies I know, when the subject comes up, cite something along the lines of "I heard Vista sucks." No explanation why (often because they don't think they'd understand, they just don't care). Similar here: plenty of people will purposefully make stupid anti-MS statements, irrelevant of if they believe it or not or even care whose fault it is, in the hopes that if done sufficiently, it'll sink into the public mindset. Maybe they feel justified in giving MS back what it deserves after all the bad stuff they've gotten away with. Now mod me -1 Insightful so Joe Sixpack doesn't see this and we can continue our conspi^H^H^H^H^H^H vigilante fight for software freedom!

Re:Why are we blaming Microsoft? (1)

Toreo asesino (951231) | about 6 years ago | (#24126449)

Similar here: plenty of people will purposefully make stupid anti-MS statements, irrelevant of if they believe it or not or even care whose fault it is, in the hopes that if done sufficiently, it'll sink into the public mindset.

Careful now, with such logic and level-headedness like that you could end up in twitter's journal [slashdot.org] and everything :)

Re:Why are we blaming Microsoft? (1)

Paradigm_Complex (968558) | about 6 years ago | (#24128487)

I think I'm safe from twitter's journal [slashdot.org] , but yeah every once in a while I accidentally say something logical. I'll try not to let it happen again, but no promises. P.S. if we end up being twitter-journal-buddies I call top bunk.

Re:Why are we blaming Microsoft? (1)

0123456 (636235) | about 6 years ago | (#24128267)

"I'm guessing that the firewall software whitelists outgoing UDP requests from port 53, and the new randomized ports are being blocked, preventing DNS queries from succeeding."

Then you're guessing wrong; DNS works fine, but http gets blocked.

I agree though, that it could be a flaw in Zonealarm rather than Windows, since it hooks into the OS at such a low level.

Re:Why are we blaming Microsoft? (0)

Anonymous Coward | about 6 years ago | (#24129477)

Why are we assuming that this is a defect in the Microsoft patch, rather than a defect in the security software?

The default for all bugs is Microsoft until proven otherwise.

Alternative solution (1)

heffrey (229704) | about 6 years ago | (#24125033)

Get rid of ZoneAlarm and use a decent firewall!

Re:Alternative solution (1)

Toreo asesino (951231) | about 6 years ago | (#24126379)

Amen. I've got to say, I've seen many many boxes keel over with ZoneAlarm installed; it does nasty things with kernel hooks and so forth that doesn't bear thinking about. There are some decent software firewalls out there, but ZoneAlarm isn't one of them.

Re:Alternative solution (1)

webcite1 (817099) | about 6 years ago | (#24128429)

So, Windows fire wall is your cake? Eat it or die! BS!

Re:Alternative solution (1)

stderr_dk (902007) | about 6 years ago | (#24131961)

The cake is a lie...

Renew license or not? (0)

Anonymous Coward | about 6 years ago | (#24125037)

I am glad to read this message. My license expires in 23 days and I was going to throw away Zonealarm and purchase other product. I will uninstall the darn MS patch. Thanks MS! You did it again!

The real issue is . . . . (2, Insightful)

Anonymous Coward | about 6 years ago | (#24125275)

Microsoft should have tested this security update with all the popular firewall software and notified the developers of the firewall software itself. Then Microsoft and the affected software companies should have sent a notification of this issue to registered users of their software.

Zone Alarm certainly counts as popular firewall software

If Microsoft did not test this against zone alarm , than that is pretty shabby QA on the part of Microsoft. If they did, and did not find the issue than it is still pretty shabby QA.

If this was tested and the makers of the software notified, than it was pretty bad on the part of both Microsoft and the third party developers not to notify users and ISPs of this impending issue.

Basically, this surprise for ISP's and users never should have occurred.

Re:The real issue is . . . . (0)

Anonymous Coward | about 6 years ago | (#24130189)

Microsoft should have tested this security update with all the popular firewall software and notified the developers of the firewall software itself. Then Microsoft and the affected software companies should have sent a notification of this issue to registered users of their software.

Zone Alarm certainly counts as popular firewall software

If Microsoft did not test this against zone alarm , than that is pretty shabby QA on the part of Microsoft. If they did, and did not find the issue than it is still pretty shabby QA.

If this was tested and the makers of the software notified, than it was pretty bad on the part of both Microsoft and the third party developers not to notify users and ISPs of this impending issue.

Basically, this surprise for ISP's and users never should have occurred.

Sure and then they should also be testing against every proxy and VPN solution, also every IP program that uses DNS and for that matter every program that uses TCP in general. 50 years later when they have tested the million+ potential applications that could be affected you will get your patch.

GET REAL, all they can do here is do there best to predict what could go wrong and hopefully address it. This was a platform independant vulnerability that had to be released, from my understanding BIND has also had compatability problems with other devices and software as have a few others, sometimes security is more important than the small percentage of people that will be inconvenienced.

Re:The real issue is . . . . (1)

dino2gnt (1072530) | about 6 years ago | (#24135663)

Explain to me why Microsoft should be supporting for ZoneAlarm at all, regardless of its popularity? it's not Microsoft's responsibility to make sure CheckPoint's software runs on their systems - it's CheckPoint's.

Software FW..sigh, hold bridge of nose, shake head (5, Informative)

GlL (618007) | about 6 years ago | (#24126289)

Ahh the great security blanket called the software firewall. I like to use the following analogy in regards to them. Having a software firewall on your computer is like having a security guard in your bathroom. If something gets to the guard it's too late, your network is already compromised.

I work for an ISP in Tacoma WA, and Software firewalls cause many more problems then they solve. I don't care which company makes it.

If you are really concerned about security then you will have a dedicated hardware firewall. These are inexpensive and common, even built into most SOHO routers.

So I know there will probably be flames, but if you write software firewalls, remember that the overwhelming majority of people who use them don't usually know they have one, and just ignore those little messages and click allow on everything until they actually read something and say "msimn.exe, what's that? I'm gonna block it!" And then they call me because their e-mail doesn't work.

Re:Software FW..sigh, hold bridge of nose, shake h (0)

Anonymous Coward | about 6 years ago | (#24126531)

Can you recommend a hardware firewall that pops up a little window and tells me which application is asking for access to the Internet, and asks me if I want to grant it permanent or temporary permission? Oh and it also has to do checksums on the binary to make sure it's really the program it says it is.

Re:Software FW..sigh, hold bridge of nose, shake h (1)

Joe U (443617) | about 6 years ago | (#24126617)

The software firewall is the last line of defense. It's supposed to work with your hardware firewall, not as a replacement to it.

Re:Software FW..sigh, hold bridge of nose, shake h (3, Insightful)

Elrond, Duke of URL (2657) | about 6 years ago | (#24130383)

The may be a big headache for somebody at an ISP who needs to help out users, but as somebody who uses ZoneAlarm, I find it to be very useful.

I've got an actual firewall in my router, but that only protects me from what comes in. And I run Linux, so that counters most other random garbage. But, on occasion, I use Windows and ZoneAlarm is very handy because it alerts me when any program is trying to send data out.

*This* is where software firewalls in Windows shine. So many programs in Windows phone home or access the Internet for completely unknown reasons. So, I block it. If it breaks and I really need that particular program, I can unblock it. It's hard to measure how much this really helps, and, of course, I'm sure there are ways to transmit in Windows without the firewall knowing about it. Still, it's nice to be able to say apps X and Y, you get to access the Net. Everybody else has to ask first.

Re:Software FW..sigh, hold bridge of nose, shake h (1)

Downside (662268) | about 6 years ago | (#24131779)

Well I've almost never had issues with ZA over quite a few years. I'd rather have the malicious probes wasting my fast, underused network bandwith than have the hassle of setting up and maintaining yet another piece of equipment. (Especially anything to do with networks!)

Also, wouldn't it be a bit much to have 3 devices (cable modem, firewall, router) to run a network that has only 2 computers attached? Or even worse to landfill a perfectly adequate router to get one with a firewall that I clearly don't actually need?

Re:Software FW..sigh, hold bridge of nose, shake (2, Informative)

ledow (319597) | about 6 years ago | (#24131825)

It's bad if an *outbound* software firewall is your ONLY form of defence. But it is an INBOUND firewall too and it does a damn good job of that, considering. I've had people back in the dial-up / USB broadband modem days who used it exclusively as a defence and there were no problems at all. They frequently got attack probes aimed at them and they all bounced off harmlessly. For five minutes work and a free download, it's much better value for money than trying to put a hardware firewall into computer novice's homes, with their 56k's and Speedtouch's.

But its main use is to turn off things that ask for the Internet that cannot be otherwise turned off, and does so without requiring TCP port rules etc. It also alerts even the knowledgeable user to strange Internet requests ("Opera is acting as a server"... is it? Why? Oh, I've hit an IRC address and it's trying to act as an IDENT server). If I could afford it, I'd put it on every Windows PC in the schools I work in (if I could move them off Windows, I would do that too) - it has an especially nice, centrally-configured network version so you can stop ANY program on ANY client that does happen to get executed from accessing the network/Internet unless it's on your whitelist - perfect for stopping a virus outbreak in its tracks.

Most importantly, however, it's fantastic as a basic Windows firewall for places where YOU CAN'T GET HARDWARE FIREWALLS. Say you have a wireless laptop that connects through your home network (a not-unusual scenario). The laptop is protected against Internet-based attacks but not against local wireless-based ones. So you either have to 1) rely on your wireless to be perfectly secure for the course of its life (WEP should have taught you that that is a silly thing to do), 2) Provide a hardware firewall on the laptop itself (means carrying another gadget like that USB stick that is a Linux firewall), 3) Using a VPN (which means forcing its use for everything Windows tries to transmit) or 4) using a software firewall. Zonealarm happens to be great at 3 AND 4.

For example, I have the following setup:

Windows laptop with wireless
Wireless access point
PC in the house with wireless card and OpenVPN
Internal network
Broadband connection

Everything past the Windows laptop is Linux and locked down (and I have Linux on a laptop to that connects in the same way). In my case, I use Zonealarm on the Windows laptop to MAKE SURE that nothing gets out across the (secured with WPA2) wireless connection except OpenVPN packets. This FORCES Windows to use OpenVPN (which it likes to avoid whenever possible, i.e. I plug another Ethernet interface into it and it changes routes etc.) for everything. I have an "insecure" network running behind the LAN but the only transit across it is via a secured VPN.

Without Zonealarm, you get hundreds of DNS, Samba, etc. requests coming out of the laptop, flying across the wireless, affecting speed, bandwidth and (potentially) security of the network. With a decent software firewall on Windows (or a decent TCP outbound firewall on Linux), I'm able to make sure that NOTHING but OpenVPN can talk to the wireless network - I could even turn off the wireless points encryption (or it be compromised, or obsoleted, or removed for incompatibility/speed/bandwidth/latency reasons) and it wouldn't matter because nothing but OpenVPN can talk out.

Without ZoneAlarm, Windows is VERY chatty on any external network, plus it's difficult (but not impossible) to make it use only ONE route (your OpenVPN tunnel) out of many possible routes without something like ZoneAlarm, especially if things change often (e.g. you put a second wireless card in, or plug in an Ethernet card etc.). I also found that Windows Firewall was absolutely useless for this, and presented problems using OpenVPN in the particular mode I wanted it to (UDP I think, but it's been a while since I've had to touch any config files for that).

With Windows Firewall, OpenVPN connections died before they could complete unless they were using TCP. It didn't have enough state-knowledge to let the OpenVPN connections works reliably through it. Disabling Windows Firewall made everything work for both UDP and TCP. Installing Zonealarm INSTANTLY made everything work with UDP or TCP while actually strengthening security in the process - it's much more clever at working out what can go where than the Windows Firewall, and doesn't baulk at hundreds of udp packets hitting the OpenVPN port. (BTW: this is a known problem - the OpenVPN solution is "install ZoneAlarm or other software firewall").

With ZoneAlarm, only outgoing OpenVPN packets even make it to the laptop's wireless card to be sent to the access point. The AP is also capable of filtering other traffic itself but that would mean that I've ALREADY broadcast that data across the wireless before it gets a chance to see it. ZoneAlarm is not only a second-line of defence from the "outside" (albeit a minor one) but a perfect defence for the "inside" too.

Break my wireless encryption - you've gotta break OpenVPN too, so I'm not really bothered.
Break OpenVPN and you'd have to break the wireless encryption first, so I'm not really bothered.

Let's say you get past the first stage and break WPA2, fake a valid MAC and join my wireless network, or you join my wireless network with some sort of encryption bypass / configuration error and sniff forever. You can't get into anything useful (or use my wireless as your personal ISP) but you'll see encrypted OpenVPN traffic pass both ways AND NOTHING ELSE. Without Zonealarm (or other software firewall), you would be seeing SMB, DNS, broadcast, etc. information too and, from being on a "trusted" network, you could just access any shares or attack the machine directly (with, say, a Windows-specific exploit).

Let's change it a bit, so we're not using "unusual" software/setups and say that you have set up a complete novice's wireless network cheaply ("I hear my old wireless access point is insecure, could you come and sort it out for me, without spending money?"). The best way would be to run a VPN (IPSEC, etc.) over the wireless, even if it's only between the laptop and the WAP, and deny access to anything but the VPN port. This is certainly possible and incredibly easy with many of the common access points without any "extra" hardware.

You're protected against virtually everything, even if the pillock decides to turn off encryption or is still running WEP. But, because it's Windows, to be 100% sure you NEED ZoneAlarm or similar on there too. Windows is noisy, and you're talking over an insecure channel (the wireless) to establish a secure connection (the VPN). Only Windows routing and the program you're running decides HOW the packets get somewhere... noisy programs broadcast their presence on all interfaces too. Someone joining the wireless can't attack your friend's laptop.

The Linux laptop can do something similar by using outbound iptables rules (which is a software firewall too) and proper routes that hold still but Windows often needs a bit more of a shove. For a Windows user, installing Zonealarm in this circumstance solves the problem in seconds - just make sure that only the VPN interface is "trusted" and all others are "untrusted". My wife set up this Windows laptop onto the system in a matter of minutes - fresh laptop - install wireless key, install VPN-GUI, test. At this point, you're getting Windows broadcasts across the wireless as well as everything else. Install Zonealarm, change all interfaces except the VPN to untrusted. Zero non-VPN packets across the wireless.

Software firewalls have their uses. Windows ones, especially, because so often Windows Firewall is completely inadequate. If you baulk at having iptables rules on Linux clients too then you shouldn't ever complain about a software firewall. Allow ANY:ANY on OUTBOUND works but it's not always the best situation.

We'll Get You to Vista One Way or Another (2, Funny)

DoctorMabuse (456736) | about 6 years ago | (#24126483)

Microsoft starts new ad campaign about how great Vista is now and XP suddenly fails. Good one, Balmer.

Ok, a little help here (1)

Anonymous Cowpat (788193) | about 6 years ago | (#24126773)

I'm fairly sure that I've just installed this patch. BUT, I haven't rebooted yet. (I'm using ZA, obviously). How can I stop the process of the patch being applied before I reboot so I don't fritz my computer? Thanks

Re:Ok, a little help here (-1, Flamebait)

Anonymous Coward | about 6 years ago | (#24127509)

The only to do that was to say "cancel" in th Zone Alarm installer.

Once ZA is installed your machine is already screwed, and all that's left is to wait and see when you'll notice

Re:Ok, a little help here (3, Informative)

punissuer (1036512) | about 6 years ago | (#24129609)

Don't worry. Removing the patch was easy once I knew that was what needed to be done. Just go to Add/Remove Programs, check the box for "Show updates", scroll down to KB951748, click the Remove button, and reboot (again).

Par For the Course (3, Insightful)

vtcodger (957785) | about 6 years ago | (#24128143)

OK. Microsoft has once again put a bunch of users off the air -- tying up the clever and the lucky for a few minutes, and probably crippling many users for days. Not the first time. Won't be the last.

And what do Slashdot readers have to say? In about equal numbers:

  1. Blame Microsoft
  2. Blame the "Application"
  3. That old favorite -- Blame the user.

OK geniuses. What, realistically, is the industry supposed to do in order to stop doing this sort of thing?

I don't know what the answer is. If I did, I'd be lining up staffing, capital, etc. But I'm 100% sure that it is not:

  1. Install Ubuntu
  2. Don't worry, be happy
  3. Blame the User

Re:Par For the Course (1)

webcite1 (817099) | about 6 years ago | (#24128485)

Windows firewall now rules! Are you happy? FTS!

I was wondering what happened yesterday (1)

Conspiracy_Of_Doves (236787) | about 6 years ago | (#24128805)

Did an update, and all of the sudden, no internet. Removed the update and the internet was back.

Didn't realize it had anything to do with Zonealarm.

Still using Zone Alarm!? (-1, Troll)

Anonymous Coward | about 6 years ago | (#24129533)

upgrade to Linux, bitches!

GNAA launched my penis to the moon!

ZoneAlarm have fixed this (1, Informative)

Anonymous Coward | about 6 years ago | (#24132927)

ZoneAlarm have released an update to fix this. Check out there technical support page http://www.zonealarm.com/store/content/support/techSupport.jsp

Re:ZoneAlarm have fixed this (0)

Anonymous Coward | about 6 years ago | (#24136861)

No they haven't. At time of writing all they've done is added a description of the problem and the two work-arounds - uninstall hotfix or set security to medium - that are in TFA.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...