Firewalls plug holes revealed by security test

Several personal firewall vendors have released patches or updates to their software to address vulnerabilities found by PC security guru, Steve Gibson.

Most commercial firewalls flunked a test devised by Gibson in December. His Trojan horse simulation, called LeakTest, checks whether a firewall is too trusting in the way it exempts some Internet applications from firewall restrictions.

Only ZoneAlarm, from Zone Labs Inc., passed Gibson's initial test. The remaining vendors immediately promised patches.

Those whose personal firewalls were fooled by LeakTest included Symantec Corp., Sygate Technologies Inc., Network Associates inc., and McAfee.com Corp. (The last two both market a version of McAfee Firewall.) Symantec, Tiny Software, Sygate, and Source Velocity have released updates to answer Gibson's challenge.

But for the customer, it's not immediately apparent which version passes the LeakTest. Also, some vendors recommend changing their personal firewall's default settings, which is more important than some users may realize. As a result, managing personal firewall software is becoming a challenge for the consumers it's designed to protect.

Masquerading to the Web

As Gibson explains it, LeakTest exploits a problem many firewalls face when they block unauthorized communications or unapproved applications. Often, firewalls identify approved applications by name or their choice of ports. Gibson strives to show that any Trojan horse--a program that masquerades as a friendly application--could be renamed, choose appropriate ports, and be mistaken for a trusted application.

His LeakTest is still available as a free download from Gibson Research. You might want to run your firewall through its paces again--just to be sure you have the right version.

For example, Symantec has updated its popular Norton firewall products. Free updates are available for Norton Personal Firewall 2.0 and 2.5, as well as Norton Internet Security and Norton Internet Security Family Edition, which contain Norton Personal Firewall. But you have to run Live Update, its downloadable upgrade service, twice to get the fix, Gibson says.

The first time, Symantec updates you to version 2.54, Gibson says. "Then you have to restart and manually run it again to get to version 2.55"--which makes your system LeakTest-proof.

Symantec confirms the process.

"Norton Personal Firewall 2.0 gets updated to version 2.5, and version 2.5 gets updated to 2.55," says Tom Powledge, group product manager at Symantec. "In some cases, a user may have to run LiveUpdate more than once."

Added Safeguards

Powledge says the update also improves authentication of applications trying to connect to the Web. Norton Personal Firewall now supports rule fingerprinting using a secure hash algorithm called SHA-1. A firewall rule is tied to a specific application, and it can't run for any other, he says.

Also new are full path validation for Windows NT and 2000, which links an application's firewall authorization to the application's exact directory path, Powledge says. Symantec has encrypted its application database and now sets the default for automatic firewall rule creation to off, he adds.

Gibson applauds Symantec's improvements. But he says Symantec should warn users against restoring the default to automatically create firewall rules.

With automatic rule creation, "if the firewall sees you're running a program it thinks it knows, it doesn't pop up and warn you when that program tries to connect," Gibson says. Users might restore the setting if they find it irritating to be frequently alerted when programs execute, he says.

Symantec says that even with automatic rule creation, you'll still get an initial prompt when an application tries to connect. For example, the first time you run Internet Explorer, the firewall prompts you and creates a rule. But if you create and run a Trojan IE using LeakTest, the firewall will check the application again, not use a preconfigured rule, Powledge says.

Tiny Falls in Line

Besides Symantec and ZoneAlarm, Tiny Software's Tiny Personal Firewall also now passes LeakTest's trial of Trojans.

"In the early stages of our software, the Trojan leak could happen," concedes Roman Kasan, founder and chief executive of Tiny Software. "Version 2.07 was the build that has no leak."

Kasan says Tiny posted version 2.08 this week and expects to release version 2.09, an encrypted configuration, this week as well. Home users can download the latest version free of charge, Kasan adds.

All three vendors whose firewall products now pass LeakTest use similar secure hash functions to protect a system against Trojan applications, Gibson says.

"Zone Alarm, Norton Personal Firewall, and Tiny Personal Firewall all create a fingerprint of the files the user is permitting, using either MD5 [message digest 5] or SHA-1," Gibson says. In each case, the firewall can prevent a malicious program from pretending to be an application that has the firewall's permission, he adds. "That's exactly what the LeakTest was designed to force these companies to do."

Scoring the Updates

Gibson has updated his site with a scoreboard for the firewalls that pass LeakTest.

Symantec answered the challenge, Gibson says. "But Tiny has arguably won, because its supports dual processors and it's free for personal use," as is ZoneAlarm, he notes. PC World also found that overall, the free ZoneAlarm was one of the most secure personal firewalls and recently named it a Best Buy.

Although Gibson says he's not aware of Sygate's LeakTest-proof update, Sygate says its latest version fixes the hole.

"Sygate Personal Firewall 4.0 has addressed all the issues" raised by Gibson's Trojan horse, says Babak Salimi, director of product management at Sygate. He says the company has updated the release that Gibson last tested.

"The current build for [Sygate Personal Firewall] 2.1 is 475," Salimi says. "It removes some of the default settings Gibson criticized."

Sygate Fortifies Its Firewall

Users of Version 2.1 should update to the latest build or switch to version 4.0 for free, Salimi says.

"Version 4.0 addresses the second issue of LeakTest: when an application masquerades as a legitimate one," Salimi says. The program now associates a signature with each application, to identify Trojans. Salimi says the update also offers application behavior controls, which LeakTest doesn't check.

According to Salimi, even if a firewall blocks an application, someone could exploit your legitimate software. For instance, Outlook could be sent to another mail server than the one you use.

Sygate Personal Firewall combats this with Lock Down, which restricts Outlook, for example, to communicate through port 53 and only to your mail server.

Gibson says Source Velocity, maker of PC Viper, was one of the first vendors to respond to LeakTest. Version 3.1.6 passes the test.

McAfee Promises Patch

Network Associates is still working on a patch that addresses the LeakTest. So is McAfee.com, which provides the hosted McAfee Firewall, says Lew Brentano, vice president of engineering for McAfee.com. An update should be available within weeks, he says.

Network Associates, which sells the packaged version of McAfee Firewall, promises a downloadable update in February, according to a Network Associates spokesperson.

McAfee is tackling a large chunk of the problem by creating a digital signature for most popular applications, so the application cannot be forged, Brentano says. The updated McAfee Firewall update will also have some configuration changes to address user concerns about firewall settings, he adds.

Firewall issues aren't always obvious to consumers, Brentano adds. Gibson agrees, and his continuing mission is to make those issues more obvious for the vendors.

Join the newsletter!

Error: Please check your email address.

More about Gibson ResearchMcAfee AustraliaMcAfee.comSygate TechnologiesSymantecTiny SoftwareZone AlarmZone Labs

Show Comments

Market Place