Re: Zonealarm exports sensitive data

[slayer67 () APK NET (Dino Amato)]

in version 1.96 they have fixed this they said so that loggin is disabled by
default.
> Fromrelease notes.

RELEASE 1.9.6 (this release)

. Issue:  ICEcap reporting can be inadvertently turned on without user
  user knowledge.

  Resolution:  Fixed.  ICEcap reporting has been disabled on this
  release.  The entries inadvertently added in blackice.ini are
  automatically removed by this version of BlackICE.

----- Original Message -----
From: Lampe, John W. <JWLAMPE () GAPAC COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Monday, February 28, 2000 1:30 PM
Subject: Re: Zonealarm exports sensitive data

> Actually blackICE defender version 1.8.2.6 does not send anything
> "sensitive" in nature.  What I captured was such:
> 1) 3 way handshake
> 2) GET <A 
> HREF="http://advice.networkice.com/advice/Intrusions/<number">http://advice.networkice.com/advice/Intrusions/<number</A>>
> 3) Error 302 ("Object Moved")
>     Location: <same as above but add "/" after <number>  >
> 4) GET <A 
> HREF="http://advice.networkice.com/advice/Intrusions/<number">http://advice.networkice.com/advice/Intrusions/<number</A>>/
> 5) page is sent.
>
> Can you tell me which version you're running?
>
> John Lampe
>
> ----------
> From: Brett Glass[SMTP:brett () LARIAT ORG]
> Reply To: Brett Glass
> Sent: Friday, February 25, 2000 8:17 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: Zonealarm exports sensitive data
>
> It should be noted that BlackICE Defender, a competitive product,
> does precisely the same thing if one clicks on the "AdvICE" button.
> Since the attack information displayed by the program's graphical
> interface is quite brief (there's more in the log files, but
> only sophisticated users will know how to find and read them),
> users are strongly motivated to click the button.
>
> I do not know whether the URLs sent by either product are being
> used to gather statistics on the frequency of attacks or as a
> means of piracy detection. They certainly could be, if the vendors
> had a mind to do so.
>
> --Brett Glass
>
> At 12:40 AM 2/25/2000 , Andrew Daviel wrote:
>
> > ZoneAlarm by zonelabs.com can export possibly sensitive data if
> > the "More Info" button is clicked from an alert.
> >
> > ZoneAlarm is a personal dynamic firewall for Windows 9x/NT.
> > When a rule is triggered (typically an inbound connection to
> > an unregistered or alarmed service) an alert box appears with a brief
> > description of the event and a button labelled "More Info". When this
> > is clicked a URL is passed to the user's Web browser sending information
> > to Zone Labs' server for more detailed explanation.
> >
> > Currently (version 2.0.26) the information passed includes:
> > Source Address and Port
> > Destination Address and Port
> > Operating system version
> > Firewall version
> > Whether the connection was blocked
> > The lock status of the firewall
> >
> > All this information is sent in clear as an HTTP GET request (port 80).
> >
> > It could possibly be seen on the Internet in transit or in proxy logs,
and
> > may include information about machines on an internal network inside a
> > corporate firewall. The request itself could be blocked by ZoneAlarm, but
> > it is likely that the setting for the Web browser would allow it to
access
> > the external network (Internet).
> >
> > It is fairly simple to edit the .EXE file to disable this feature, or
> > to redirect it to a local server.
> >
> > (IMO the benefits from using the product outweigh the risks of this data
> > leak....)
> >
> > Andrew Daviel
> > Vancouver Webpages etc.
>
>
>
> Thanks,
>
> John Lampe