FIX for ZoneAlarm & KB951748 issue released

Discussion in 'Windows Update' started by PA Bear [MS MVP], Jul 10, 2008.

  1. PA Bear [MS MVP]

    Stinger Guest

    Simply amazing to me how many of you responders hold such a cavalier
    attitude toward security. I challenge any of you to publicly post a static
    IP address available you can monitor, turn on that wonderful Windows firewall
    (since that's all you believe is needed) and sit back for a few days and
    watch what happens. You'll soon discover how vital a security becomes in
    your computer world. Do it the right way, like MOST consumers do without the
    aid of any router or other bandwidth protectors.

    Firewalls are mostly hype and snake oil. Thanks for that little chuckle.
    You don't mind if I share that statement with others in the real world
    outside of the protection of this forum? Sure, most computer users are small
    fish in a big see but not all of us....obviously. I for one would rather be
    safe with my firewall protection than to take the word of someone that
    discounts security as easliy as the like of this group.

    Oh and let's be real honest about something here. Internet Explorer is
    "bundled" with Windows, has been for a long time. Windows is also the most
    common OS in the world. But IE is nothing more than a GUI for viewing web
    pages. Saying the DNS problem wasn't related to Windows (did you really say
    that??) is laughable. Perhaps a better understanding of the actual DNS issue
    should be on your todo list. And on top of all that even implying a firewall
    isn't involved in this DNS issue is blasphemy. What conduit is being used
    for this communication between your computer and web pages if it's not via
    ports? I'll quote a single line explaining part of the DNS process for those
    reading this that are tired of being directed to web sites --> "If the
    records are not stored locally, your computer queries (or contacts) your
    ISP's recursive DNS servers." Doesn't take a rocket scientist to understand
    the Windows operating system does indeed have a major stake in this DNS
    problem. If you still are riding on the boat down the river of denial, ask
    yourself one question.... Why was the patch even produced by MS if there
    wasn't a "problem" with the OS, hmm?

    Yea, firewalls are all hype and snake oil. That's an instant classic!

    You folks need to get out of the Microsoft world and step intto the real
    world every once in a while or you're limiting yourself.
     
    Stinger, Jul 18, 2008
    1. Advertisements

  2. PA Bear [MS MVP]

    Root Kit Guest

    So - what's going to happen? Please enlighten us.
    I don't recall anyone claiming security isn't important.
    Do you have any technical arguments to prove otherwise, or are you
    just babbling?
    Feel free.
    No one here forces you to stop using pseudo-security software.
    Really? - I guess that comes as a major chock to all of us...
    It is? - You continue to surprise...
    Well... it's also an ActiveX rich web client if you ask me.
    I don't honestly think you understood what he said.
    Blasphemy? - Holy sh...
    Do you even understand the problem?
    It's hard to avoid MS products also in the real world ;-)


    BTW, what you provided here lacks any technical arguments which makes
    you sound more like a salesman than anything else. So what security
    software company do you represent?
     
    Root Kit, Jul 18, 2008
    1. Advertisements

  3. PA Bear [MS MVP]

    Kerry Brown Guest


    I live in the real world. I manage networks for a living. This includes
    managing the network security for a government contractor who gets audited
    for security yearly. I use real firewalls (not software firewalls) every
    day. The networks I manage use many products and OS's, other than
    Microsoft's, that do DNS lookups. Here's what happened with the DNS changes.
    Windows was using DNS as it was supposed be used. A flaw was found in the
    way DNS communications work. This flaw had nothing to do with Windows. All
    of the major networking hardware and software developers were made aware of
    this and as a group decided to make a change in the way DNS communications
    worked to close this possible exploit. This change in the way DNS
    communications worked meant some low level system files in Windows needed to
    be updated. FWIW my Linux computers and some of the hardware firewall
    appliances I manage also had some low level changes because of this as well.
    The change was made and some Windows files were updated via Windows Updates.
    At this point some versions of Zone Alarm barfed. I don't use Zone Alarm so
    the rest of the story I gleaned from reading Zone Alarm forums and official
    announcements. The Zone Alarm application noticed that some Windows files
    had changed and decided not to allow these files to communicate to the
    Internet. It wasn't anything in the way the files worked, merely that they
    had changed, that caused the problem. Because these are system files Zone
    Alarm doesn't ask about them. Clearing the Zone Alarm database so that it
    would not think the files were changed fixed the problem. How is an OS
    supposed to update itself if it can't change files? The way that Zone Alarm
    monitors and responds to system file changes is flawed.

    You have misquoted me. I never said "firewalls are all hype and snake oil".
    I said "We can debate the effectiveness of software firewalls all day."
    followed by "I think they're mostly hype and snake oil." Of course not all
    firewalls are hype and snake oil. Software firewalls that advertise they can
    stop malicious outbound traffic are. If you want to quote me anywhere,
    including this forum, please quote me verbatim without changes.

    Oh and by the way, I know of of many people using both XP and Vista with
    only the Windows firewall running on their computer. What am I supposed to
    see happen? They have no more problems with malware than anyone else. In
    fact the ones that I set up have almost no malware problems at all. Many of
    them don't have a router (i.e. dialup) yet they don't have any problems with
    malware. How will your preferred firewall solution help protect them better
    than they are now? Maybe you could tell us exactly how their security will
    be improved by using a different software firewall?
     
    Kerry Brown, Jul 18, 2008
  4. PA Bear [MS MVP]

    Stinger Guest

    The same "software company" that includes common sense as part mission
    statement Root Kit. Try reading the entire thread before you jump in taking
    things out of context. It's boring when people do that.

    Read back through the entire post before challenging my quotes from others.

    Here's EXACTLY what Kerry said earlier word for word...
    "There is no debating the fact that this flaw in the DNS system needed to be
    patched and it needed to be patched immediately. This has nothing to do with
    Windows."

    Nothing to do with Windows??????????

    Why didn't you copy and paste the most important part of my last post Root
    Kit? You know the one...

    "Why was the patch even produced by MS if there wasn't a "problem" with the
    OS?"

    PS - don't see you posting a static IP yet Root Kit... :)
     
    Stinger, Jul 18, 2008
  5. PA Bear [MS MVP]

    Kerry Brown Guest

    I stand by the statement. The flaw iself had nothing to do with Windows. It
    was a flaw in the DNS communications protocol. Windows was using the
    existing protocol which was flawed. This meant that Windows had to be
    changed to work with the new protocol or it would be vulnerable. How is this
    a Windows problem? It's a DNS problem that all developers that make products
    that communicate with DNS servers have had to deal with.

    I agree with Root Kit. You havn't provided technical details of how a
    software firewall that does outbound monitoring improves security over the
    Windows firewall. You haven't tried to refute the fact that Zone Alarm's
    monitoring of and reaction to system file changes is flawed. You obviously
    misunderstand what caused Microsoft to update the DNS client in Windows. I'm
    done with the conversation unless you can provide us with some technical
    reasons that back up your assertions. I like a good debate as much as
    anybody but it's pointless unless you at least try to back up your
    statements.
     
    Kerry Brown, Jul 18, 2008
  6. PA Bear [MS MVP]

    Root Kit Guest

    You mean the one where you avoided answering what would happen to the
    machine protected with "just" the windows firewall?
     
    Root Kit, Jul 18, 2008
  7. PA Bear [MS MVP]

    Stinger Guest

    And I've yet to see anyone answer the most important question, you include
    Kerry..

    "Why was the patch even produced by MS if there wasn't a "problem" with the
    OS?"

    Windows has to be changed to work with the new protocol? So either there
    was something wrong with Windows before or after the new protocol was
    invoked...which is it? Can't have it both ways. If everything was fine
    before the new DNS protocol was invoked, we're right back to my question
    above. You don't need to have technical expertise to see when people dance
    cokmpletely around a subject folks.
     
    Stinger, Jul 19, 2008
  8. PA Bear [MS MVP]

    Root Kit Guest

    Why should anyone bother answering a question which exists only in
    your head?
    Just like all the other platforms.
    Seems like you're talking to stay awake.
    That's true. Everyone can see that's what you're doing.
     
    Root Kit, Jul 19, 2008
  9. PA Bear [MS MVP]

    Kayman Guest

    On Fri, 18 Jul 2008 12:43:26 -0300, John John (MVP) wrote:

    John, John (MVP), as I mentioned in a preceding thread, you can't be very
    intelligent and your lateral thinking capabilities are vitually not
    existent! Prior NT these apps were basically regarded essential tools.
    Don't you you know the meaning of *"incidentally"*?
    The WinXp firewall application is an *integral* part of the OS and deals
    with inbound protection and therefore does not give you a false sense of
    security. Best of all, it doesn't implement lots of nonsense like
    pretending that outbound traffic needs to be monitored. And yes,
    technically speaking, 'firewall' is really a misnomer.
    Why is that, and what is that supposed to mean?
    Ah, I recall a statement you made in a previous message:
    "*We all know* that the Windows firewall is sufficient and good at it's
    job...".
    I envy you for having the gift to know thoughts of others. (And my crystal
    ball ain't working - bummer).
    But it seems your comprehension is lacking :)
    Agree, as long it is not a 3rd party software (so-called) firewall!
    When starting learning to drive a car I wanted to drive on the 'left' side
    of the road because at the time I thought there was nothing wrong with it
    all, in fact I thought that driving on the middle of the road is much
    safer. Boy am I glad that somebody put me straight!
    We are talking about 3rd party software (so-called) firewall applications!
    The user gets easily blinded by all the hype created by the makers of 3rd
    party (so-called) firewalls. Now they believe it (your're one of them) and
    if an opportunity presents itself I will continue posting links with
    articles saying otherwise in order to create some realistic counterbalance.
    Heck, even Sunbelt (the makers of Kerio) concede that outbound controll of
    their software is basically a useless POS.
    In the end it's the user (not you or I) who'll decide.
    Nor do I. But *you* should be ashamed of yourself for making such a
    statement. As a MVP you should set an example and advise novices and the
    uninformed to the best of your ability and in accordance with your vast and
    specialized knowledge (isn't that you've got the 'badge' in the first
    place?)! And all you can say "I don't care".
    (LOL) I refrain from commenting! Except that I sincerely believe that you
    must have demonstrated some skills prior being awarded with a MVP badge.
    Would you please stick to these particular skills and refrain from
    commenting and/or making statements related to Internet Security!
    (Embarrasing, really).
    Bunk, you don't know what what I am thinking [PERIOD]!
    I provide links to educational articles provided by well respected authors
    who are highly regarded and respected in the Internet Security Community;
    Their credentials are outstanding!
    I know you disregard the writings of these authors as 'nonsense'. You do
    recall your statement in a previous post:
    "I really don't know why you keep spewing this *nonsense* out..."
    'Nuff said.
    Call it what you wish. Based on what I know, I am eager providing a counter
    balance, the accompanied links of my posts speak for themself (if
    understood).
    You tried this before. Providing educational links to the uninformed can
    hardly be considered 'berating'.
    You're some kind of a frustrated individual, to say the least!
    The fact is there are a lot of things wrong with these Illusion ware! You
    just don't seem do understand it. I will continue making it my business
    providing links to educational article, so what are you going to do about
    it? Users can take heed or ignore these write-ups. Heck, it's a free
    country and this is usenet.
    If you feel so strong about it, why don't you join a moderated forum!
    Since almost all educational and factual write-ups fail to get commercial
    support, my effort to provide this material opposing the hype created by
    the makers of 3rd party software (so-called) firwall is justified and
    right.
    Now be honest, which software company do you work for?
    The bottom line is that 3rd party (so-called) firewall applications
    promoting the importance of 'outbound control" are *without exception*
    snake oil!
    BTW, aside from your MVP badge, what are your credentials?
     
    Kayman, Jul 19, 2008
  10. PA Bear [MS MVP]

    Kayman Guest

    On Fri, 18 Jul 2008 16:00:03 -0700, Stinger wrote:

    This may clarify things:

    http://securosis.com/2008/07/08/dan...ue-in-dns-massive-multivendor-patch-released/


    "Dan Kaminsky was finally successful in getting the security research
    community to back his claims to the design flaw with DNS."
    http://tech.blorge.com/Structure: /2008/07/11/skepticism-relieved-with-dns-bug/

    Happy reading :)
     
    Kayman, Jul 19, 2008
  11. Intersting comments.
    (See details hereunder)

    I giess this is really true and is what I was suspecting.

    Also a very good point. This habit of MS to give other names to things
    already existing under a well known, common name is really annoying. It goes
    even from one version of Windows to the next, as seen in Vista for which I
    lost a lot of time finding things which I knew rom WinXP but eventually got
    other names...

    I'am not so sure about that. Marketing people tend to think they (and their
    recepes) make the market, but they never conduct real stidies to prove that.
    In the case of Windows, I guess the success stems from two elements:
    - an open base for software developpers to construct their programs (and
    this is actually one oint that is being forgotten by MS ... see the problem
    of ZA and KB951748 that spraked all this discussion)
    - the rapid incoporation in MS products of the good things from other
    programs (see Word, that was clearly inferior to other word processing
    packages, but improved ... now, it also got its sucess because MS made
    access to Win difficult for other programs when moving from MS-Dos to
    Windows)...
     
    Paul (Bornival), Jul 20, 2008
  12. Strictly speaking, ZA prevented the update from functioning properly. For the
    record, according to my best understanding of the technical details of the
    conflict, even if Microsoft had known about the issue there wasn't anything they
    could have done about it.

    Harry.
     
    Harry Johnston [MVP], Jul 20, 2008
  13. Except that they subvert the functionality of the operating system, increasing
    the risk of ... well, to choose an example completely at random, losing internet
    connectivity after applying a security update. :)

    It's a trade-off. There is some security benefit - provided the malware in
    question is carelessly written - but is it worth the costs?

    On the whole, the computer security industry spends enough on advertising that I
    don't think it hurts to have the occasional person noisily presenting the other
    side of the case!

    Harry.
     
    Harry Johnston [MVP], Jul 20, 2008

  14. The best you can do now is resort to personal attacks, says a lot about you.

    The point to be made is that before XP was released third party firewall
    products were the only alternative to hardware firewalls, many of these
    third party firewall products were good and many were free. These were
    trusted applications from trusted companies. Then, overnight, just
    because Windows XP was released, in the eyes of a zealous few these
    companies became villains peddling worthless products! A couple of
    individuals decided to tar and feather a whole ISV group with the same
    wide brush! That is wrong, absolutely wrong, and the attack on some of
    those ISVs is completely unwarranted, those ISVs were trusted companies
    the day before XP hit the market and they were no less trustworthy the
    day after XP was released. Much of the hype against those ISVs is
    nothing more than blind zealotry!

    There is also a developing and troubling trend in this whole debate, one
    that some people are bent on spreading at all costs, that because
    software firewalls are not immune to exploits by malware attempting to
    send data to outside networks, then by simple deduction any and all
    egress filtering as a security concept is unnecessary. Egress filtering
    at the perimeter, done by reliable network appliances, is a vital part
    of network security, without proper egress control your network security
    is incomplete, ignore egress traffic at your own perils! Maybe you do
    not value your data, but others do! In a perfect world there would be
    no pests, no virus, worms, or trojans. No one would try to pry at your
    private data and malicious attacks against computers would be non
    existent. Of course we don't live in a perfect world and people are
    going to continue to get infected with all kinds of pests and some of
    those pests will attempt to steal private data, the value of egress
    control has not diminished when Windows XP was released, over the years
    the need for proper egress filtering has not diminished or vanished, it
    has increased.

    John
     
    John John (MVP), Jul 20, 2008
  15. Where can we find the technical details of the incompatibility. I have been
    looking hard but have not found anything relevant so far (or so vague you
    can't understand what is going on).
     
    Paul (Bornival), Jul 20, 2008
  16. I believe there is some information on the ZoneAlarm forums, and there's been a
    fair bit of discussion in microsoft.public.windowsupdate.

    The quick summary, as I understand it, is that ZoneAlarm couldn't cope with the
    fact that the update modified some of the system files associated with internet
    access. It wasn't anything specific about the way they were changed, simply the
    fact that they had changed.

    Harry.
     
    Harry Johnston [MVP], Jul 21, 2008
  17. PA Bear [MS MVP]

    Kayman Guest

    Informative reading:

    Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch
    Released
    http://securosis.com/2008/07/08/dan...ue-in-dns-massive-multivendor-patch-released/

    "Dan Kaminsky was finally successful in getting the security research
    community to back his claims to the design flaw with DNS."
    http://tech.blorge.com/Structure: /2008/07/11/skepticism-relieved-with-dns-bug/

    DNS flaw discoverer says more permanent fixes will be needed
    Current patch options merely stopgaps; worst attacks likely on the way
    http://www.computerworld.com/action...ewArticleBasic&articleId=9110284&pageNumber=1

    Just a quick note...
    http://www.doxpara.com/

    Multiple DNS implementations vulnerable to cache poisoning
    http://www.kb.cert.org/vuls/id/800113
     
    Kayman, Jul 21, 2008
  18. PA Bear [MS MVP]

    Kayman Guest

    Nonsense, the "attacks" are nothing but observations based on *your*
    immature and ill informed responses! In any case, you made your own bed!
    You started this by calling me names (remember?)...I can only assume you
    were smoking this stuff (i.e. crack & pot).
    Yes, as I had mentioned many times previously - *Prior NT*!
    I wouldn't go that far, but admittedly some of these software were suitable
    for platforms prior NT.
    (Which company did you say you are representing?)
    You rant is (again) embarrassing. And *YES*, with the introduction of XP
    these 3rd party personal (so-called) firewalls became superfluous [PERIOD]!
    The makers of these Illusion Ware recognized this very quickly. The dollar
    almighty is their foremost motivation, not users' security..hence the hype!
    (by which you're blinded with).
    Fact:
    Outbound control on an XP platform as a security measure against malware is
    still utter nonsense.
    The windows platform was designed with usability in mind providing all
    kinds of possibilities for e.g. inter-process communication. This
    together with the very high probability that the user is running with
    unrestricted rights makes it impossible to prevent malware allowed to
    run and determined to by-pass any outbound "control" (which, of course
    modern malware is) from doing so. It's simply too unreliable to
    qualify as a security measure.

    Fact:
    Malware must be stopped at the front door and *NOT* allowed to run
    believing that its behavior can be somehow "controlled". In a
    multi-purpose OS like windows with all programs running with
    unrestricted rights, if program A can control program B, what prevents
    program B from controlling program A (or C which A has already granted
    permission for that matter)? (thx RK)
    There you go *again*, another "crystal ball" statement!
    You don't know *my* values! And you're really talking about *YOU*, now
    don't you?
    Fact:
    The only reasonable way to deal with malware is to prevent it from being
    run in the first place. That's what AV software or Windows' System
    Restriction Policies are doing. And what 3rd party Personal (so-called)
    Firewalls fail to do!

    John John (MVP), would you please educate and inform yourself by studying
    publications not associated with any COMMERCIAL influence. Additionally,
    the authors of these publications can be contacted....why don't you bite
    the bullet and do so? It'll brighten your horizon and you could pass on
    your newly acquired knowledge to this and other newsgroups.

    You may wish to utilize this:
    Configuring NT-services much more secure.
    http://www.ntsvcfg.de/ntsvcfg_eng.html
     
    Kayman, Jul 21, 2008
  19. PA Bear [MS MVP]

    Root Kit Guest

    That's not entirely true. You are missing the obvious (and in fact
    most secure) alternative of shutting down the unneeded network
    services (which should of course have been the windows default
    setting). I used to run a W2K machine with a direct Internet
    connection without any inbound "protection" at all and without
    problems for several years. And to be honest, still today I wouldn't
    loose any sleep over operating a hardened W2K client machine directly
    on the net.
    I guess that's an opinion open for debate.
    That's also not true. They were highly criticized among specialists
    already before that. It's just hard to get through the marketing
    noise.
    I think it's absolutely fair that some people stand up against the
    obvious hype and in cases utter nonsense that the marketing
    departments of these companies were and are still using to fool less
    knowledgeable users into buying their products. I find it a bit
    worrying that an MVP does not have the technical insight to see
    through the smoke.

    I've asked this before without getting any responses: Why are there no
    web pages with listings of personal firewall software available for
    Linux? Well, don't bother. I already know the answer.

    Please understand that I'm not in any way trying to "defend" MS. I
    fully recognize that windows has it's serious security flaws. But when
    claiming that it can be made more secure by adding further highly
    questionable code to it, one has stepped away from technical sense and
    into emotional reasoning - often backed by non-applicable analogies.
    Who is that? - I for sure have not been spreading that thought.
    Agreed.
     
    Root Kit, Jul 21, 2008
  20. PA Bear [MS MVP]

    Root Kit Guest

    In fact even the windows 9x platform usually didn't need any packet
    filtering. You'd just have to unbind any network service from your
    network interface that you didn't want.
     
    Root Kit, Jul 21, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.