Microsoft released four patches - all rated important - as part of its regular Patch Tuesday update cycle, one of which left ZoneAlarm users locked out the internet. The most significant of the quartet fixes a flaw in Windows' implementations of the Domain Name System protocol (MS08-037.mspx). Multiple vendors are subject to the …
don't think it's just Zone Alarm
as i'm borked too unless I use IP addresses to connect - Using Windows Firewall and Safeconnect.
It's a bitch :(
Works on my machine...
...which is Windows XP SP 2 with ZoneAlarm Internet Security Suite (the full antivirus, firewall, etc. shebang).
Thanks for the heads-up, though; I'll know what to do if things start going arse-over-tit.
same for me
I uninstalled zonealarm, turned windows firewall back on and ran seconfig to bolt down the security.
seconfig seems a useful tool and automates the lockdown I normally do manually get it from http://seconfig.sytes.net
I had this happen last night after installing the patch. I found that turning "internet zone" security down to medium fixed the problem, so no need to turn off zonealarm completely.
The MS patch known as, KB951748, has screwed internet / mail access on one of my rigs. However, on an almost indentical machine, (AMD vs INTEL) everything works fine. Both have Free AVG and Zonelabs software up to date and running. Outlook reports a "No sockets" error and t'internet times out.
I did notice that ZoneAlarm did not ask me for permission for the AVG email scanner to access the big outdoors with the patch applied. But, quite normally, it did ask if Outlook could step outside.
Uninstalling KB951748 solves the problem on the knacked kit.
I'm left scratchin' me ol'bonce.
This problem stole 2.5 hours of my life
A temporary solution for anyone suffering from the same problem who doesn't want to uninstall the patch or switch off/uninstall Zonealarm:
Open ZA>>Firewall>>Main>>Internet Zone Security>>Slider bar is on high? Move it to medium.
So, you can get semi-protection with the patch in the interim. This was tried and tested on two XP PCs and an XP laptop.
Hope someone finds that helpful.
Uninstall the patch?
ZoneAlarm recommends that users uninstall the problematic patch, as a workaround, pending the resolution of the problem.
So the alleged security firm is asking us to uninstall the security patch rather than uninstalling their scareware crap? What a surprise.
Passing the buck
I'm sure people will enjoy taking the opportunity to chastise Microsoft on this occasion. I on the other hand point the finger firmly at ZoneAlarm and blame it for utilising questionable methods within its software. Funny how other software firewall vendors aren't feeling the pain.
And what sort of ridiculous suggestion is it to uninstall a security fix?!! Surely a responsible company would have suggested that the user uninstall their broken firewall, use Windows Firewall as a temporary solution, and then install an updated version of the third-party firewall when a fix is available. I'm sure people will criticise the suggestion of temporarily using Windows Firewall, truth is that it's there and as far as software firewalls go it's not a bad product.
*shakes head in disbelief* Telling users to uninstall a security fix... Sheesh.
I'll get my coat. It's the one with "Don't take coding shortcuts" printed on the back.
Socket entropy and cruddy TCP stacks
I've read the headlines about this bug fix and I know that it's not just a MS issue, but if the problem is simply a lack of socket number entropy then surely this is an indication of the crappiness of the underlying Socket layer / TCP stack rather than a fault in the DNS protocol itself.
I note that djbdns (for one example), gets round the problem by binding to specific (random) port numbers in its requests, and I understand that these recent patches are doing similar things.
However, they shouldn't NEED to. This is a flaw in the OS's TCP stack. the OS should not be generating easy-to-guess socket numbers. Windows is particularly terrible in this respect (or at least I know it used to be) because it just allocates successive ephemeral port numbers. How crap is that??? Answer - VERY VERY crap!
OpenBSD fixed this problem a loooooooong time ago by randomising the ephemeral port allocation. This protects ALL network-bound appications, not just DNS.
And if stuff like Zone Alarm is now falling over because of this change, well what does that say about the security of Zone Alarm (ie - it must be making assumptions about the traffic it is monitoring based on the allocated socket numbers - again - how crap???)
It's all just as well that so much effort is being put into stuff like the latest MP3 player skin or animated dog cartoons in Word! 'Cos THEY are really important and useful!
So, the patch works
Technically having no net connection will protect users from the DNS problem, but a cynical person might be tempted to think that MS was trying to get people away from using ZA.
Came in to work to find the PC having auto updated would not connect to the net at all. Spent (wasted) some time figuring out it was Zone Alarm, wasted more time re-installing it (as it has a tendency to self destruct on its own from time to time) before then having to surf the net with NO firewall to find it was the firewall and the latest MS update at fault. Have rolled back then to a LESS secure system so at least I can have the firewall on. Zone Alarm's forum is full of this, they must be in meltdown at the moment. Fancy having to turn off your firewall so you can get on the sodding net to find out what's wrong!!
This caught me out last night.
I figured it was the patch causing the problem, but didn't realise it was affecting Zone Alarm. Thanks for the heads up.
I thought Vista was written with security as it's prime concern....
Or was that just an excuse for them to drop support for XP and force everyone to shell out for the new OS?
Zone Alarm version ?
I'm still running ZoneAlarm 6.1.744 on the machine that works fine with the patch.
T'other kit has 7.0.462 and that's knackered after applying KB951748.
Both instances of ZoneAlarm would appear to be doing their work fine - as a quick drop by to Steve Gibson's "Shields Up" site demonstrates.
Both instances have the Internet / Trusted settings at max.
**NOTE: uninstalling and reinstalling ZoneAlarm used to require a removal tool from ZoneLabs. **Need to check this first. But I'm happy to revert the knacked machine back to version 6.0 and keep going.
Vista is not affected by this issue
Based on my SP1 machines and comments on the ZA forums. I think I'll hold off from applying the patch to my XP/SP3 boxes, though :)
I can't get Maplin today.
Easy way to check
Just get ZoneAlarm to notify on every block it does.... if it's blocking any and all traffic then you need to either
a) lower security to medium. or
b) allow each app to be a trusted server and also allow every single IP it blocks.
took 10 mins to figure out this morning.
@ Vista vulnerable???
I think you ought to check your facts before jumping onto the usual Vista-bashing bandwagon - the security bulletin states that Vista 32/64 and Server 2008 are not affected and therefore don't need patching.
So with regard to your witty, insightful comment:
1. Vista must be more secure, as it doesn't need the patch required by previous versions of Windows, and
2. The fact that they've released the patch for XP surely means they haven't dropped support, as they're STILL RELEASING PATCHES.
No wonder you wanted to remain anonymous. Tw@.
Paris, cos she could outsmart you.
Seems Microsoft wont test with typical setups!
Millions use zonealarm, but you know MS wont test this patch with it.... Killed my internet connection on one machine (which i fortunately knew was down to the patch and not the very "helpful" troubleshooting advice that my router was the problem, as i was also playing Buzz online on my PS3)
Ref moving slider down
Ref the suggestions about moving the slider down from max to medium, this didn't work for me (nor moving the slider right down!), the only cure was switching off ZA completely or rolling back the MS patch.
Re: Zonealarm & Vista...
No problems so far on Vista SP1 and free Zonealarm on high security settings.
Zone Alarm problems
Why don't you use an OS that doesn't require you to run stuff like Zone Alarm? Wouldn't that be the common sense thing to do?
Just thought I would point out the bleedin' obvious :-)
@Craig questionable security practices
I don't want to take sides, but Microsoft has "yielded" to the complaining of 3rd parties for years (since NT days) about security practices. There are tight ways of doing things for security, which some of MS OS has tried to incorporate and push (probably badly) onto 3rd party producers. There are even examples of this in Vista where they caved because of griping from vendors. The fact is, if you allow 3rd parties to do things in a shady way, they get dependent on that and gripe about changing. Both sides are to blame, IMO.
I have to say that the conflicts like this ZoneAlarm thing are pretty rare, despite how complex software is these days.
@ all you Zone Alarmists
"I blame Microsoft blah, blah, blah...."
Software 'firewalls' are a joke. Zone Alarmist is probably the worst of them...
get real, get rid of it, & get over it
If Vista is not getting KB951748, it seems unlikely to get the problem.
I don't want everyone to have to rely on a single source for a firewall or a web browser.
I know I seem to have dodged several issues through not depending on Microsoft.
Interesting thing: the Windows tracert utility was working, and giving domain names for non-local machines which I don't expect to find in any cache.
My bad...I'd just woken up.
Following an item published on Zonealarms site I extended it to fix the e-mail which didn't work either.
In Zonealarm click on Firewall and the Main tab, set the Internet Zone Security back to High.
Then click on Custom - scroll down one and the bottom entry for the High zone is "allow outgoing TCP ports:" That will normally have (no ports selected) after it.
Click on the box on the left; a box will appear underneath for you to enter the ports to be allowed; in the box type "80, 110, 443" without the quotes.
Ports 80 and 443 allow the browser to work and port 110 allows pop3 e-mail to work.
This way you've got the M$ patch which you really do want and you've got most of the ZA security which is more than you get without it.
Got caught by this on two W2K and one XP machine last night. What a pain, time for ZA to go!
To ekimdam [a.k.a. MadMike]: Get a life!
To Mike: XP security updates will be around until 2014.
To Tim: Boo hoo. Microsoft tests their security fixes. But every PC is different. Fix has no problem [it seems] with ZA 6.1 but is a problem with 7.0.
All: Better off sticking with ZA and not touching the update until either one of them comes out with a fix.
Comodo Firewall Pro free is unaffected on my two machines that run it.
RE: Another workaraound
By Mike Collins
"Now why didn't I think of that?"
You might want to add port 25 too.
Affected W/O Zone Alarm
I am in the US and my Toshiba laptop with XP Pro, SP2 installed will not connect to the Internet - and I do not have Zone Alarm. This all happened after it installed the updates while I was away from my laptop. I am at work now and will see what I can do when I get home tonight. I was not a happy camper (American saying...) last night when I thought my new network setup from this past weekend broke down!
Now I just have to figure out how to fix this...
Had this last night...
I saw it happen right in front of my eyes. Patches got applied, and on reboot, no internet. I could easily ensure that external internet access was available (via my router diags) and soon found out that ZoneAlarm was the problem. I uninstalled that and switched to Comodo, and all is well. BTW, I also found that the Windows Fire curtain (cannot really call it a Wall, can I?) was turned on -- I don't know whether by this update or something earlier. Anyway, I of course turned that off.
Maybe this is why there was not enough "testing" of the patch...
"Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.
Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses."
An automatic update that takes a Windows box off the internet, bliss.
That said, I won't touch ZoneAlarm with a 10' pole since it broke my Win98 tcp/ip stack so badly a full OS reinstall was necessary, way back when.
Re: all you Zone Alarmists
"Software 'firewalls' are a joke. Zone Alarmist is probably the worst of them...
get real, get rid of it, & get over it"
Has ZoneAlarm EVER saved you from anything?
Security theatre, anybody?
ZoneAlarm's support drives me around the bend.
There is an issue with ZoneAlarm whereby if ad blocking and cookie control is set, any web applications on your local machine won't work. This has been going on for years and years and is a pain in the neck for developers.
Their "log a call" support recognises the issue, but won't acknowledge it in public as a "known issue", stating the developers will "fix it when they will fix it". Yeah right, years later still nothing has happened. I logged the issue two years ago and again a month ago.
I tried posting on their forums about this issue, and they DELETED the post, YES you heard me right. There was nothing nasty about the post other than the fact I said the bug had been going on for years.
There are lots of other posts on ZoneAlarms forums that seem to point to this issue as well....
RE Another Workaround
Thanks to Doug Glass above - Include port 25 which is used for sending email.
Silly me didn't test it fully - I should apply to M$ for a job.
So include ports 25, 80, 110, 443 in the Allow outgoing TCP ports list.
Thats why I switched to a MAC. Life is great on the internet again since I switched!
MY VISTA DID NOT INSTALL IT
......my machine refused it somehow......everything works ok.....or was this only for XP.........I have Vista Home Premium...well, no fguss here, life as we know it goes on....kerplunk...Ohio is safe so far
FAO: Flunky Dennis
"Has ZoneAlarm EVER saved you from anything?"
Why, yes it has actually - many moons ago when it was still a "desk band" it prevented a suspiciously named executable getting out from my system that no AV program I was able to get my hands on was able to find (I ran a BBS at the time, so had access to quite a few). The executable deleted itself as soon as it was refused access.
Not a single machine has passed through my hands without installing a copy since if it had no other firewall.
I wonder how many poor sods downloaded this update last night
and now have no internet access? You can't find out about the problem unless you can visit a website and a fair few folk probably don't have a clue what's happened to them. I think I'm going to download Sunbelt or Comodo tonight.
Tuesday update cycle, one of which left ZoneAlarm users locked out the internet.
I installed Windows update this morning during shut down operation. Cold booted the machine, was able to access Internet without any problems.
I have been a Zone Alarm and Zone Alarm Pro user for several years and have never had any problems with the product.
Silly wabbit, MACs are for (sumthin'-or-other)
> "Thats why I switched to a MAC. Life is great on the internet again since I switched!"
Now Abel, while I respect your good intent ;) we all know that *real* Mac users don't use all-caps when referring to their machines. It's not an acronym. Silly Abel. :)
Paris probably knows the difference between MAC and Mac.
All popular security products are worse than the problems they suposedly prevent
Viruses "proper" haven't been a problem since the dawn of the internet. "Worms" only bite people who run servers, "Trojans" only affect people who click on stupid email links. Therefor virus scanners are an unnecessary drain on your system, usually worse than actually having a virus.
Sitting behind a NAT router makes firewalls near useless, and the last good software firewall died out long ago. (i.e. one where you could actually lock down ports and stayed out of the application layer, and refrained from obnoxious warnings)
Lastly, just use a "safe" browser (Firefox), and stay away from shady sites (no, that *isn't* really a naked picture of the Olson twins dikeing it out), install the latest updates (except for SP3 for god sakes), and you are sorted!
Also affected google log in and my mail
Could not log in to google yesterday and MS outlook would not send or receive.
What a pain, didn't figure out it was Zone Alarm until this morning, because Hughesnet had a satellite down too. Maybe it was MS update too. I wish MS would test things before they throw them out there so everybody's computer crashes!
Ha ha ha
Best laugh I've had so far this month!!!
Not Just zonealarm
Had to remove the patch from a machine that DID NOT have zone alarm installed!!!
Anyway software firewalls are a really bad idea - they run on the machine so allow the hacker got to the machine, Far better and easier to use an external firewall (netgear etc) which stops them getting to your machine in the firstplace.
Also, most people screw them up opening this port and that port or allowing software to do it for them having no idea what they are doing so all they end up is a fiewall with loads of unnecessary holes.
Save your money and buy a hardware firewall.
The real problem is ZoneAlarm. It's such a terrible product. I always advise anyone using it to uninstall it. With everyone using hardware boxes (home "routers") with built-in firewalls + Microsoft's forced use of Windows Firewall, there's really no reason to run another firewall, especially Zone Alarm.
- iPad? More like iFAD: This is why Apple ran off to IBM
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Analysis Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
- Major problems beset UK ISP filth filters: But it's OK, nobody uses them