MS Security Patch Blocks Net Access For ZoneAlarm Users

An anonymous reader writes "Users of Check Point ZoneAlarm security products, including the extremely popular, free-of-charge software firewall, have discovered that a Microsoft security update released on Tuesday has blocked their internet access. The firewall manufacturer is 'investigating the issue,' and so far the workaround seems to be to uninstall the recent DNS spoofing vulnerability fix MS08-037 (KB951748), and not reinstall it until Microsoft or Check Point have come up with updated versions of their products."

And this is a bad thing how?

[trolltalk.com (1108067)]

a Microsoft security update released on Tuesday has blocked their internet access.

... it certainly makes their computers less prone to being hacked on the net ...

Re:And this is a bad thing how?

[Floritard (1058660)]

So the headline should have read:

"MS Security Patch perfects ZoneAlarm firewall"

Re:And this is a bad thing how?

[Spy der Mann (805235)]

... it certainly makes their computers less prone to being hacked on the net ...

I know you wrote it as a joke, but it gets me thinking on the proprietary software problem again (yeah yeah, I know, more anti-MS babbling). The risk of having your operating system suddenly lose internet access completely is inadmissible. Since Windows is a closed-source product, only the maker (Microsoft) knows how to fix vulnerabilities. And if they screw up, like in this case, we have to depend on them to fix the problem. Either you lose internet access, or still are vulnerable to the DNS exploit.

Re:And this is a bad thing how?

[SQLGuru (980662)]

You make the immediate assumption that it was a problem with the MS Patch. I'll wait until the final news release about the subject, in case it's an issue with Zone Alarm. Why is Zone Alarm the only firewall with this problem (so far)? Is Zone Alarm firewall released as open source? Free != Open Source. Your same argument against MS can just as easily be applied to Check Point.

Layne

But..

[by Anonymous Coward]

But this is Slashdot.. ofcource it is Microsoft's fault.

Re:

[by Anonymous Coward]

What changed?

It's not a hard question and, thus, not a surprising answer when Microsoft is blamed.

AND you are absolutely correct about Check Point NOT being open source themselves; if they were it might also present a path to the resolution.

Otherwise, my bet is that:

1. Zone-Alarm expects a portion of MS's network stack to behave in a certain way and it has now changed,
2. Microsoft broke changed something in their API, or as I suspect
3. Zone-Alarm mis-interpreted the API or poorly coded to it.

Re:

[snoyberg (787126)]

I think his main argument is just against proprietary (ie, non-open source) software, meaning that regardless of who's to blame here, this is an example of why FOSS is better.

Re:

[Spy der Mann (805235)]

I think his main argument is just against proprietary (ie, non-open source) software, meaning that regardless of who's to blame here, this is an example of why FOSS is better.

Exactly! That's what I wanted to say.

(whew, that was close!)

Re:

[hyperquantization (804651)]

Agreed, but only when the corporation who owns the source is incompetent. So to blanket all proprietary software, IMHO, is rather unfair. Either way, unless you're spending your own time developing the software, you're trusting somebody; if not a single corporation, then the Open Source Community. The point is, it's really just up to you, the user, to decide who you trust more.

Re:

[quonsar (61695)]

The risk of having your operating system suddenly lose internet access completely is inadmissible.

They should have gotten a warrant?

Re:

[ToasterMonkey (467067)]

Are you trying to somehow credit open source software with bringing together disparate development teams on total different projects to test & QA their software releases together? That's insane.

Be realistic, whatever system-wide stability advantage Linux (the OS) has is because of the centralized distribution model now commonly used, and can be credited solely to the maintainers of said distribution. Even the centralization hasn't been all that great until recent years, and you still have to use cauti

One program breaks and it's an M$ issue? Nah.

[Behrooz (302401)]

...or instead of complaining to Microsoft, you can disable ZoneAlarm and enjoy having your connection work again. Cheap firewalls failing to perform exactly how you'd like them to is an old, old story.

Given the ridiculous profusion of budget 'security' software swarming around, it hardly seems fair to lay the blame on M$ when ZoneAlarm is the only program that this patch appears to conflict with.

Of course, if ZoneAlarm wasn't proprietary, we could go see where they screwed up. Maybe you should go harass them for being closed-source instead?

Re:

[Spy der Mann (805235)]

...or instead of complaining to Microsoft, you can disable ZoneAlarm and enjoy having your connection work again.

Touché. I'd mod you up. Anyway, now that you mention it... the point of zonealarm is that the default firewall that comes with Windows is terribly insecure. It's interesting how a proprietary OS ends up spawning a lot of proprietary firewall and antivirus software.

My point? No point, it's just interesting to see how proprietary spawns proprietary... as if they were living beings.

A lot more than Microsoft

[suso (153703)]

We have a Cisco ASA at work for a large enterprise and about 2 hours after I applied the patch to our DNS servers running BIND, they the ASA device blackholed the DNS servers. Wasn't a fun day really.

Re:

[sjames (1099)]

Or at least keeps their bot infested piece of junk from spamming the rest of us. :-)

other workaround

[TheSHAD0W (258774)]

Set Zonealarm's security level to "medium".

Another workaround

[martinw89 (1229324)]

Why not take this time to try out something new [comodo.com]?

Re:

[Goldberg's Pants (139800)]

I've tried multiple firewalls over the years, including that one, and had a variety of issues ranging from general system stability problems to constant BSOD's. So much so I don't even bother anymore. I'm behind a router. I know it's not perfect, but having one less buggy, unstable program in the background makes life a lot nicer.

Off the top of my head I tried ZoneAlarm, both old and new versions, Tiny Personal Firewall, the prior TPF that had a different name, and several others.

Just not worth the aggravat

Re:

[goombah99 (560566)]

Set Zonealarm's security level to "medium".

For those of you using the GUI, that's the checkbox next to the goatse icon.

Re:

[by Anonymous Coward]

Don't you think it's hard to take a security product seriously when its settings are "high", "medium", and "low"?

Not that other products are any better...

Re:

[MikeBabcock (65886)]

That would be horrifically stupid -- don't EVER enable incoming TCP ports like those unless you know what you're doing. Outbound ports are you connecting out, but inbound ports allow anyone on the internet to try and connect to you on those ports, none of which relate to DNS lookups -- that would be port 53 (UDP and/or rarely TCP).

Thanks for the "update"

[snl2587 (1177409)]

Crap! Here come the phone calls asking for tech support...I think I'll turn off my phone for a bit...

Re:

[Bomarc (306716)]

... and this /. story explains my brothers phone call late last night.

BTW-for those unsure if you're broken

[faloi (738831)]

If you're reading this article from a machine in question, you're not broken.

Now please don't call me asking if it's something you should worry about.

Re:BTW-for those unsure if you're broken

[gEvil (beta) (945888)]

I'm pretty sure the computer I'm on right now is affected by this problem. Tell me what I need to do to fix it. It's a G5 iMac running Microsoft Tiger. The problem started when I updated Internet Safari. Please help!!!

Re:

[Fnord666 (889225)]

Is this something I should worry about?

Re:

[Cro Magnon (467622)]

Now please don't call me asking if it's something you should worry about.

Okay, I'll just ask by email.

In all Fairness to Microsoft

[docstrange (161931)]

This patch was not designed to patch a Microsoft flaw, but instead a vulnerability in nearly all implementations of DNS. So far over 100 vendors have patched their products and coordinated the release of this workaround. If zone alarm is broken because of this change they need to adjust their product to work with this change, not the other way around.

I've taken this snippet from: http://isc.sans.org/diary.html?storyid=4687 [sans.org] which explains things in a little more detail. Full details won't be disclosed until Blackhat in vegas this August.

The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked:

who sent the response? Was it the DNS server we sent the request to?
for this particular response, do we have an outstanding request?
each request uses a unique and random query ID. The response has to use the same query ID.
The response has to be sent to the same port from which the request was sent.
Only if all this matches, the response is accepted. The first valid response wins. If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.

Re:

[JCSoRocks (1142053)]

Well at least *someone* remembers the stories that were posted just a few days ago...

Re:

[mr_mischief (456295)]

If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.

It'd also work if the attacker was able to sniff that packet in the first place, of course, and with a much higher probability.

DNS over TCP for queries as well as zone transfers has long been an option for most DNS servers. Enabling that as the default would seem to be a secure enough fix, although with more overhead than UDP.

I haven't taken the time to see what this new recommended fix does. Anyone have details on how it makes the query response harder to fake?

Re:In all Fairness to Microsoft

[Simon (S2) (600188)]

I haven't taken the time to see what this new recommended fix does. Anyone have details on how it makes the query response harder to fake?

Sure. The security update [microsoft.com] addresses the vulnerabilities by using strongly random DNS transaction IDs, using random sockets for UDP queries, and updating the logic used to manage the DNS cache.

Re:

[Ritchie70 (860516)]

Thanks! I was just reviewing the Microsoft patch at work today - evaluating what category it should go into ("OMG NOW NOW NOW", "Soon", "Next Release", "Never.")

That helps a lot with understanding it. (I said "Next Release", by the way.)

Not just Zone Alarm

[jimbobborg (128330)]

From articles I've read on the subject, a LOT of the personal firewalls for Windows PCs are having this problem.

Why are we blaming Microsoft?

[Alereon (660683)]

Why are we assuming that this is a defect in the Microsoft patch, rather than a defect in the security software? I think it's much more likely that the software firewall application (which tend to be pretty skeevy in general, see Norton Internet Security) is inappropriately blocking access than that Microsoft screwed up the patch. From my (admittedly vague) understanding of the issue, I'm guessing that the firewall software whitelists outgoing UDP requests from port 53, and the new randomized ports are being blocked, preventing DNS queries from succeeding. I know blaming Microsoft is fun, but blaming even crappier software vendors is more fun :)

Re:Why are we blaming Microsoft?

[Paradigm_Complex (968558)]

Why are you assuming that we're assuming? Vista got a lot more heat than it really deserved, often by people who know better. However, much of the public at large believed the complaints. Most non-technies I know, when the subject comes up, cite something along the lines of "I heard Vista sucks." No explanation why (often because they don't think they'd understand, they just don't care). Similar here: plenty of people will purposefully make stupid anti-MS statements, irrelevant of if they believe it or not or even care whose fault it is, in the hopes that if done sufficiently, it'll sink into the public mindset. Maybe they feel justified in giving MS back what it deserves after all the bad stuff they've gotten away with. Now mod me -1 Insightful so Joe Sixpack doesn't see this and we can continue our conspi^H^H^H^H^H^H vigilante fight for software freedom!

Re:

[Toreo asesino (951231)]

Similar here: plenty of people will purposefully make stupid anti-MS statements, irrelevant of if they believe it or not or even care whose fault it is, in the hopes that if done sufficiently, it'll sink into the public mindset.

Careful now, with such logic and level-headedness like that you could end up in twitter's journal [slashdot.org] and everything :)

Re:

[Paradigm_Complex (968558)]

I think I'm safe from twitter's journal [slashdot.org], but yeah every once in a while I accidentally say something logical. I'll try not to let it happen again, but no promises. P.S. if we end up being twitter-journal-buddies I call top bunk.

Re:

[0123456 (636235)]

"I'm guessing that the firewall software whitelists outgoing UDP requests from port 53, and the new randomized ports are being blocked, preventing DNS queries from succeeding."

Then you're guessing wrong; DNS works fine, but http gets blocked.

I agree though, that it could be a flaw in Zonealarm rather than Windows, since it hooks into the OS at such a low level.

The real issue is . . . .

[by Anonymous Coward]

Microsoft should have tested this security update with all the popular firewall software and notified the developers of the firewall software itself. Then Microsoft and the affected software companies should have sent a notification of this issue to registered users of their software.

Zone Alarm certainly counts as popular firewall software

If Microsoft did not test this against zone alarm , than that is pretty shabby QA on the part of Microsoft. If they did, and did not find the issue than it is still pret

Software FW..sigh, hold bridge of nose, shake head

[GlL (618007)]

Ahh the great security blanket called the software firewall. I like to use the following analogy in regards to them. Having a software firewall on your computer is like having a security guard in your bathroom. If something gets to the guard it's too late, your network is already compromised.

I work for an ISP in Tacoma WA, and Software firewalls cause many more problems then they solve. I don't care which company makes it.

If you are really concerned about security then you will have a dedicated hardware firewall. These are inexpensive and common, even built into most SOHO routers.

So I know there will probably be flames, but if you write software firewalls, remember that the overwhelming majority of people who use them don't usually know they have one, and just ignore those little messages and click allow on everything until they actually read something and say "msimn.exe, what's that? I'm gonna block it!" And then they call me because their e-mail doesn't work.

Re:

[Joe U (443617)]

The software firewall is the last line of defense. It's supposed to work with your hardware firewall, not as a replacement to it.

Re:Software FW..sigh, hold bridge of nose, shake h

[Elrond, Duke of URL (2657)]

The may be a big headache for somebody at an ISP who needs to help out users, but as somebody who uses ZoneAlarm, I find it to be very useful.

I've got an actual firewall in my router, but that only protects me from what comes in. And I run Linux, so that counters most other random garbage. But, on occasion, I use Windows and ZoneAlarm is very handy because it alerts me when any program is trying to send data out.

*This* is where software firewalls in Windows shine. So many programs in Windows phone home or access the Internet for completely unknown reasons. So, I block it. If it breaks and I really need that particular program, I can unblock it. It's hard to measure how much this really helps, and, of course, I'm sure there are ways to transmit in Windows without the firewall knowing about it. Still, it's nice to be able to say apps X and Y, you get to access the Net. Everybody else has to ask first.

Re:Software FW..sigh, hold bridge of nose, shake

[ledow (319597)]

It's bad if an *outbound* software firewall is your ONLY form of defence. But it is an INBOUND firewall too and it does a damn good job of that, considering. I've had people back in the dial-up / USB broadband modem days who used it exclusively as a defence and there were no problems at all. They frequently got attack probes aimed at them and they all bounced off harmlessly. For five minutes work and a free download, it's much better value for money than trying to put a hardware firewall into computer n

We'll Get You to Vista One Way or Another

[DoctorMabuse (456736)]

Microsoft starts new ad campaign about how great Vista is now and XP suddenly fails. Good one, Balmer.

Ok, a little help here

[Anonymous Cowpat (788193)]

I'm fairly sure that I've just installed this patch. BUT, I haven't rebooted yet. (I'm using ZA, obviously). How can I stop the process of the patch being applied before I reboot so I don't fritz my computer? Thanks

Re:

[punissuer (1036512)]

Don't worry. Removing the patch was easy once I knew that was what needed to be done. Just go to Add/Remove Programs, check the box for "Show updates", scroll down to KB951748, click the Remove button, and reboot (again).

Par For the Course

[vtcodger (957785)]

OK. Microsoft has once again put a bunch of users off the air -- tying up the clever and the lucky for a few minutes, and probably crippling many users for days. Not the first time. Won't be the last.

And what do Slashdot readers have to say? In about equal numbers:

1. Blame Microsoft
2. Blame the "Application"
3. That old favorite -- Blame the user.

OK geniuses. What, realistically, is the industry supposed to do in order to stop doing this sort of thing?

I don't know what the answer is. If I did, I'd be lining up staffing, capital, etc. But I'm 100% sure that it is not:

1. Install Ubuntu
2. Don't worry, be happy
3. Blame the User

I was wondering what happened yesterday

[Conspiracy_Of_Doves (236787)]

Did an update, and all of the sudden, no internet. Removed the update and the internet was back.

Didn't realize it had anything to do with Zonealarm.

Re:

[Paradigm_Complex (968558)]

If you're joking it's not funny, and if you're serious you're mistaken. MS has a history of doing stupid/evil things, but they're smart enough to know where the line is. MS can only dance around the law so much. Consider: As the usefulness of the exploit fades, a sneaky "Data mining" company could make even more money selling/abusing the knowledge of what MS did. Best MS could do is claim it was a (number of) rogue employee(s), but even so it's an unnecessary loss and risk. It won't bring in enough cash

Re:

[Toreo asesino (951231)]

Amen. I've got to say, I've seen many many boxes keel over with ZoneAlarm installed; it does nasty things with kernel hooks and so forth that doesn't bear thinking about. There are some decent software firewalls out there, but ZoneAlarm isn't one of them.