Security Crusader Punches Holes in Firewalls

Vendors Reassess, Revise Firewall Rules

Gibson says the firewalls are too easily vulnerable. He modified his Trojan so it doesn't simply impersonate an approved application, but gives the firewall a new rule allowing entry of any application.

"There is nothing to prevent a Trojan from making its own entry" in the Application Lookup Engine (ALE) of Norton Personal Firewall, Gibson says. He expects most firewalls that predefine trusted applications share the flaw.

Only firewalls from Zone Labs were able to fend off LeakTest, Gibson says. The company's ZoneAlarm and ZoneAlarm Pro passed the test, he says, because they have a fundamentally different way to identify a trusted application. As a default, ZoneAlarm prohibits all traffic. It recognizes no applications as trusted, verifying them one by one as they first run.

Unlike many other firewalls, however, ZoneAlarm does not identify applications by name or choice of ports. Instead, it examines a program's actual code using a cryptographic standard called an MD5 checksum.

"It is conceptually infeasible to get any other program to produce the same MD5 signature," Gibson says.

Watch for Online Updates

Other firewall vendors are reexamining how their programs verify a program's identity. McAfee.com is already working on an MD5 checksum function for future versions of its firewall, Curry says. The company is also developing a patch to address Gibson's findings.

"Steve [Gibson]'s concerns are valid, and we are going to address them," Curry says. He advises users to check the McAfee.com for a patch this week.

Sygate Personal Firewall 4.0 will be a totally new version of the software and will incorporate the MD5 checksum, says John De Santis, Sygate chief executive officer. The company expects to post a patch for its 2.1 product that eliminates blanket permission for certain ports (but will not yet include the MD5 checksum) on its site this week.

A new firewall from Tiny Software was still in beta version during Gibson's tests, but it implements an MD5 checksum engine. It originally included a list of preapproved apps, but Tiny is reconsidering that approach in light of Gibson's criticism, says Brandon Talaich, Tiny's vice president of marketing. The version of the firewall's Trusted Application Mechanism will identify programs by their MD5 signatures.

Symantec is currently considering several methods, including an MD5 checksum, to more thoroughly verify a program's identity.

"We are going to address all the issues that were brought up by the LeakTest," Powledge says. Symantec has not decided whether to offer an interim fix or wait for a comprehensive update. But Powledge advises concerned customers to disable the program's automatic firewall rule generation. (A document on Symantec's site explains how.)

Likewise, McAfee.com's Curry says uses of the McAfee.com Personal Firewall should watch the site for an update. "As an ASP, we can roll out upgrades like this to our entire user base very quickly," Curry notes.

Gibson Keeps Watch

And Zone Labs is neither bragging nor relaxing. No security product is 100 percent safe, says Gregor Freund, president.

"You have to create a balance," Freund says. "Steve [Gibson] points out where that balance should be." Can the program be fooled? Users certainly can, he adds. The firewall will allow a program if the user authorizes that program, but it trusts the customer's judgement.

"People have to understand that downloading a piece of software--if they have no idea what it is or what it does--is taking a risk," Freund adds.

For his part, Gibson expects to keep watching. He's already working on LeakTest 2.0, expecting everyone to quickly fix the flaws LeakTest 1.0 uncovers.