back to article MS DNS patch snuffs net connection for ZoneAlarm users

Microsoft released four patches - all rated important - as part of its regular Patch Tuesday update cycle, one of which left ZoneAlarm users locked out the internet. The most significant of the quartet fixes a flaw in Windows' implementations of the Domain Name System protocol (MS08-037.mspx). Multiple vendors are subject to the …

COMMENTS

This topic is closed for new posts.

Page:

Stop

don't think it's just Zone Alarm

as i'm borked too unless I use IP addresses to connect - Using Windows Firewall and Safeconnect.

It's a bitch :(

0
0
Happy

Works on my machine...

...which is Windows XP SP 2 with ZoneAlarm Internet Security Suite (the full antivirus, firewall, etc. shebang).

Thanks for the heads-up, though; I'll know what to do if things start going arse-over-tit.

0
0

same for me

I uninstalled zonealarm, turned windows firewall back on and ran seconfig to bolt down the security.

seconfig seems a useful tool and automates the lockdown I normally do manually get it from http://seconfig.sytes.net

0
0

Workaround

I had this happen last night after installing the patch. I found that turning "internet zone" security down to medium fixed the problem, so no need to turn off zonealarm completely.

0
0
Bronze badge

Curious behavoir

The MS patch known as, KB951748, has screwed internet / mail access on one of my rigs. However, on an almost indentical machine, (AMD vs INTEL) everything works fine. Both have Free AVG and Zonelabs software up to date and running. Outlook reports a "No sockets" error and t'internet times out.

I did notice that ZoneAlarm did not ask me for permission for the AVG email scanner to access the big outdoors with the patch applied. But, quite normally, it did ask if Outlook could step outside.

Uninstalling KB951748 solves the problem on the knacked kit.

I'm left scratchin' me ol'bonce.

0
0
Alert

This problem stole 2.5 hours of my life

A temporary solution for anyone suffering from the same problem who doesn't want to uninstall the patch or switch off/uninstall Zonealarm:

Open ZA>>Firewall>>Main>>Internet Zone Security>>Slider bar is on high? Move it to medium.

So, you can get semi-protection with the patch in the interim. This was tried and tested on two XP PCs and an XP laptop.

Hope someone finds that helpful.

Alex

0
0
Thumb Down

Uninstall the patch?

ZoneAlarm recommends that users uninstall the problematic patch, as a workaround, pending the resolution of the problem.

So the alleged security firm is asking us to uninstall the security patch rather than uninstalling their scareware crap? What a surprise.

0
0
Coat

Passing the buck

I'm sure people will enjoy taking the opportunity to chastise Microsoft on this occasion. I on the other hand point the finger firmly at ZoneAlarm and blame it for utilising questionable methods within its software. Funny how other software firewall vendors aren't feeling the pain.

And what sort of ridiculous suggestion is it to uninstall a security fix?!! Surely a responsible company would have suggested that the user uninstall their broken firewall, use Windows Firewall as a temporary solution, and then install an updated version of the third-party firewall when a fix is available. I'm sure people will criticise the suggestion of temporarily using Windows Firewall, truth is that it's there and as far as software firewalls go it's not a bad product.

*shakes head in disbelief* Telling users to uninstall a security fix... Sheesh.

I'll get my coat. It's the one with "Don't take coding shortcuts" printed on the back.

0
0

Socket entropy and cruddy TCP stacks

I've read the headlines about this bug fix and I know that it's not just a MS issue, but if the problem is simply a lack of socket number entropy then surely this is an indication of the crappiness of the underlying Socket layer / TCP stack rather than a fault in the DNS protocol itself.

I note that djbdns (for one example), gets round the problem by binding to specific (random) port numbers in its requests, and I understand that these recent patches are doing similar things.

However, they shouldn't NEED to. This is a flaw in the OS's TCP stack. the OS should not be generating easy-to-guess socket numbers. Windows is particularly terrible in this respect (or at least I know it used to be) because it just allocates successive ephemeral port numbers. How crap is that??? Answer - VERY VERY crap!

OpenBSD fixed this problem a loooooooong time ago by randomising the ephemeral port allocation. This protects ALL network-bound appications, not just DNS.

And if stuff like Zone Alarm is now falling over because of this change, well what does that say about the security of Zone Alarm (ie - it must be making assumptions about the traffic it is monitoring based on the allocated socket numbers - again - how crap???)

It's all just as well that so much effort is being put into stuff like the latest MP3 player skin or animated dog cartoons in Word! 'Cos THEY are really important and useful!

0
0

So, the patch works

Technically having no net connection will protect users from the DNS problem, but a cynical person might be tempted to think that MS was trying to get people away from using ZA.

0
0
Pirate

Connection Nobbled

Came in to work to find the PC having auto updated would not connect to the net at all. Spent (wasted) some time figuring out it was Zone Alarm, wasted more time re-installing it (as it has a tendency to self destruct on its own from time to time) before then having to surf the net with NO firewall to find it was the firewall and the latest MS update at fault. Have rolled back then to a LESS secure system so at least I can have the firewall on. Zone Alarm's forum is full of this, they must be in meltdown at the moment. Fancy having to turn off your firewall so you can get on the sodding net to find out what's wrong!!

0
0
Thumb Up

This caught me out last night.

I figured it was the patch causing the problem, but didn't realise it was affecting Zone Alarm. Thanks for the heads up.

0
0
Gates Horns

Vista vulnerable???

I thought Vista was written with security as it's prime concern....

Or was that just an excuse for them to drop support for XP and force everyone to shell out for the new OS?

0
0
Bronze badge

Zone Alarm version ?

I'm still running ZoneAlarm 6.1.744 on the machine that works fine with the patch.

T'other kit has 7.0.462 and that's knackered after applying KB951748.

Both instances of ZoneAlarm would appear to be doing their work fine - as a quick drop by to Steve Gibson's "Shields Up" site demonstrates.

Both instances have the Internet / Trusted settings at max.

**NOTE: uninstalling and reinstalling ZoneAlarm used to require a removal tool from ZoneLabs. **Need to check this first. But I'm happy to revert the knacked machine back to version 6.0 and keep going.

0
0
Silver badge

Vista is not affected by this issue

Based on my SP1 machines and comments on the ZA forums. I think I'll hold off from applying the patch to my XP/SP3 boxes, though :)

0
0
Bronze badge

I can't get Maplin today.

Anyone else?

0
0

Easy way to check

Just get ZoneAlarm to notify on every block it does.... if it's blocking any and all traffic then you need to either

a) lower security to medium. or

b) allow each app to be a trusted server and also allow every single IP it blocks.

took 10 mins to figure out this morning.

0
0
Paris Hilton

@ Vista vulnerable???

I think you ought to check your facts before jumping onto the usual Vista-bashing bandwagon - the security bulletin states that Vista 32/64 and Server 2008 are not affected and therefore don't need patching.

So with regard to your witty, insightful comment:

1. Vista must be more secure, as it doesn't need the patch required by previous versions of Windows, and

2. The fact that they've released the patch for XP surely means they haven't dropped support, as they're STILL RELEASING PATCHES.

No wonder you wanted to remain anonymous. Tw@.

Paris, cos she could outsmart you.

0
0
Tim
Gates Horns

Seems Microsoft wont test with typical setups!

Millions use zonealarm, but you know MS wont test this patch with it.... Killed my internet connection on one machine (which i fortunately knew was down to the patch and not the very "helpful" troubleshooting advice that my router was the problem, as i was also playing Buzz online on my PS3)

0
0
Pirate

Ref moving slider down

Ref the suggestions about moving the slider down from max to medium, this didn't work for me (nor moving the slider right down!), the only cure was switching off ZA completely or rolling back the MS patch.

0
0
Thumb Up

Re: Zonealarm & Vista...

No problems so far on Vista SP1 and free Zonealarm on high security settings.

0
0
Anonymous Coward

Zone Alarm problems

Why don't you use an OS that doesn't require you to run stuff like Zone Alarm? Wouldn't that be the common sense thing to do?

Just thought I would point out the bleedin' obvious :-)

0
0
Gates Halo

@Craig questionable security practices

I don't want to take sides, but Microsoft has "yielded" to the complaining of 3rd parties for years (since NT days) about security practices. There are tight ways of doing things for security, which some of MS OS has tried to incorporate and push (probably badly) onto 3rd party producers. There are even examples of this in Vista where they caved because of griping from vendors. The fact is, if you allow 3rd parties to do things in a shady way, they get dependent on that and gripe about changing. Both sides are to blame, IMO.

I have to say that the conflicts like this ZoneAlarm thing are pretty rare, despite how complex software is these days.

0
0
Stop

@ all you Zone Alarmists

"I blame Microsoft blah, blah, blah...."

Software 'firewalls' are a joke. Zone Alarmist is probably the worst of them...

get real, get rid of it, & get over it

0
0

@DeBunk

If Vista is not getting KB951748, it seems unlikely to get the problem.

0
0
Bronze badge

Diversity

I don't want everyone to have to rely on a single source for a firewall or a web browser.

I know I seem to have dodged several issues through not depending on Microsoft.

Interesting thing: the Windows tracert utility was working, and giving domain names for non-local machines which I don't expect to find in any cache.

0
0
Paris Hilton

@Andy

My bad...I'd just woken up.

0
0
Anonymous Coward

Another workaraound

Following an item published on Zonealarms site I extended it to fix the e-mail which didn't work either.

In Zonealarm click on Firewall and the Main tab, set the Internet Zone Security back to High.

Then click on Custom - scroll down one and the bottom entry for the High zone is "allow outgoing TCP ports:" That will normally have (no ports selected) after it.

Click on the box on the left; a box will appear underneath for you to enter the ports to be allowed; in the box type "80, 110, 443" without the quotes.

Ports 80 and 443 allow the browser to work and port 110 allows pop3 e-mail to work.

This way you've got the M$ patch which you really do want and you've got most of the ZA security which is more than you get without it.

0
0
Thumb Down

Me too

Got caught by this on two W2K and one XP machine last night. What a pain, time for ZA to go!

0
0

Oh well....

To ekimdam [a.k.a. MadMike]: Get a life!

To Mike: XP security updates will be around until 2014.

To Tim: Boo hoo. Microsoft tests their security fixes. But every PC is different. Fix has no problem [it seems] with ZA 6.1 but is a problem with 7.0.

All: Better off sticking with ZA and not touching the update until either one of them comes out with a fix.

0
0
Happy

Unaffected

Comodo Firewall Pro free is unaffected on my two machines that run it.

0
0
Happy

Port 25

RE: Another workaraound

By Mike Collins

"Now why didn't I think of that?"

You might want to add port 25 too.

0
0
Bob

Affected W/O Zone Alarm

I am in the US and my Toshiba laptop with XP Pro, SP2 installed will not connect to the Internet - and I do not have Zone Alarm. This all happened after it installed the updates while I was away from my laptop. I am at work now and will see what I can do when I get home tonight. I was not a happy camper (American saying...) last night when I thought my new network setup from this past weekend broke down!

Now I just have to figure out how to fix this...

0
0
Alert

Had this last night...

I saw it happen right in front of my eyes. Patches got applied, and on reboot, no internet. I could easily ensure that external internet access was available (via my router diags) and soon found out that ZoneAlarm was the problem. I uninstalled that and switched to Comodo, and all is well. BTW, I also found that the Windows Fire curtain (cannot really call it a Wall, can I?) was turned on -- I don't know whether by this update or something earlier. Anyway, I of course turned that off.

0
0

Maybe this is why there was not enough "testing" of the patch...

http://news.yahoo.com/s/afp/20080709/ts_alt_afp/usitinternetsoftwarecrime

"Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.

Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses."

0
0
Flame

Heh

An automatic update that takes a Windows box off the internet, bliss.

That said, I won't touch ZoneAlarm with a 10' pole since it broke my Win98 tcp/ip stack so badly a full OS reinstall was necessary, way back when.

0
0
Thumb Up

Re: all you Zone Alarmists

"Software 'firewalls' are a joke. Zone Alarmist is probably the worst of them...

get real, get rid of it, & get over it"

Amen brother!

@Gis Bun

Has ZoneAlarm EVER saved you from anything?

Security theatre, anybody?

0
0
Thumb Down

Countersoft

ZoneAlarm's support drives me around the bend.

There is an issue with ZoneAlarm whereby if ad blocking and cookie control is set, any web applications on your local machine won't work. This has been going on for years and years and is a pain in the neck for developers.

Their "log a call" support recognises the issue, but won't acknowledge it in public as a "known issue", stating the developers will "fix it when they will fix it". Yeah right, years later still nothing has happened. I logged the issue two years ago and again a month ago.

I tried posting on their forums about this issue, and they DELETED the post, YES you heard me right. There was nothing nasty about the post other than the fact I said the bug had been going on for years.

There are lots of other posts on ZoneAlarms forums that seem to point to this issue as well....

Alex

0
0
Anonymous Coward

RE Another Workaround

Thanks to Doug Glass above - Include port 25 which is used for sending email.

Silly me didn't test it fully - I should apply to M$ for a job.

So include ports 25, 80, 110, 443 in the Allow outgoing TCP ports list.

0
0

LOL---- Again?

Thats why I switched to a MAC. Life is great on the internet again since I switched!

0
0
Happy

MY VISTA DID NOT INSTALL IT

......my machine refused it somehow......everything works ok.....or was this only for XP.........I have Vista Home Premium...well, no fguss here, life as we know it goes on....kerplunk...Ohio is safe so far

0
0
Thumb Up

FAO: Flunky Dennis

"Has ZoneAlarm EVER saved you from anything?"

Why, yes it has actually - many moons ago when it was still a "desk band" it prevented a suspiciously named executable getting out from my system that no AV program I was able to get my hands on was able to find (I ran a BBS at the time, so had access to quite a few). The executable deleted itself as soon as it was refused access.

Not a single machine has passed through my hands without installing a copy since if it had no other firewall.

0
0
Unhappy

I wonder how many poor sods downloaded this update last night

and now have no internet access? You can't find out about the problem unless you can visit a website and a fair few folk probably don't have a clue what's happened to them. I think I'm going to download Sunbelt or Comodo tonight.

0
0
Thumb Up

Tuesday update cycle, one of which left ZoneAlarm users locked out the internet.

I installed Windows update this morning during shut down operation. Cold booted the machine, was able to access Internet without any problems.

I have been a Zone Alarm and Zone Alarm Pro user for several years and have never had any problems with the product.

Your Uncledudly

0
0
Paris Hilton

Silly wabbit, MACs are for (sumthin'-or-other)

> "Thats why I switched to a MAC. Life is great on the internet again since I switched!"

Now Abel, while I respect your good intent ;) we all know that *real* Mac users don't use all-caps when referring to their machines. It's not an acronym. Silly Abel. :)

Paris probably knows the difference between MAC and Mac.

0
0
Paris Hilton

All popular security products are worse than the problems they suposedly prevent

Viruses "proper" haven't been a problem since the dawn of the internet. "Worms" only bite people who run servers, "Trojans" only affect people who click on stupid email links. Therefor virus scanners are an unnecessary drain on your system, usually worse than actually having a virus.

Sitting behind a NAT router makes firewalls near useless, and the last good software firewall died out long ago. (i.e. one where you could actually lock down ports and stayed out of the application layer, and refrained from obnoxious warnings)

Lastly, just use a "safe" browser (Firefox), and stay away from shady sites (no, that *isn't* really a naked picture of the Olson twins dikeing it out), install the latest updates (except for SP3 for god sakes), and you are sorted!

0
0
Anonymous Coward

Also affected google log in and my mail

Could not log in to google yesterday and MS outlook would not send or receive.

What a pain, didn't figure out it was Zone Alarm until this morning, because Hughesnet had a satellite down too. Maybe it was MS update too. I wish MS would test things before they throw them out there so everybody's computer crashes!

0
0
Linux

Ha ha ha

Best laugh I've had so far this month!!!

0
0
Black Helicopters

Not Just zonealarm

Had to remove the patch from a machine that DID NOT have zone alarm installed!!!

Anyway software firewalls are a really bad idea - they run on the machine so allow the hacker got to the machine, Far better and easier to use an external firewall (netgear etc) which stops them getting to your machine in the firstplace.

Also, most people screw them up opening this port and that port or allowing software to do it for them having no idea what they are doing so all they end up is a fiewall with loads of unnecessary holes.

Save your money and buy a hardware firewall.

0
0
Anonymous Coward

ZoneAlarm....

The real problem is ZoneAlarm. It's such a terrible product. I always advise anyone using it to uninstall it. With everyone using hardware boxes (home "routers") with built-in firewalls + Microsoft's forced use of Windows Firewall, there's really no reason to run another firewall, especially Zone Alarm.

0
0

Page:

This topic is closed for new posts.

Forums