Security Holes in Personal Firewalls

Vulnerabilities that could potentially allow a user to increase their access rights have been discovered in numerous personal firewalls. The error exploits the fact that the application windows run within the system context.

Intruders with restricted rights need only call up the GUI of the affected personal firewall and then end the Explorer process using Task Manager. The Open Folder link then provides them with an instance of Explorer possessing system rights.

According to the security warning, the vulnerability affects Outpost Firewall Pro version 3.51.759.6511 (462), Lavasoft's Personal Firewall Version 1.0.543.5722 (433) and Novell's Border Manager Client Firewall 2.0. Ben Goulding, who discovered the hole, claims to have informed the software producers about it a week ago. No updates have been made available as yet.

In Outpost's Firewall 3.5.631, local attackers can also provoke a denial of service attack by executing the mshta.exe file with a very long string of parameters. Bipin Gautam, who discovered this error in Outpost's filter driver, claims that Agnitum has quietly closed this security hole for the current version of Outpost.

The vulnerabilities once again highlight a problem with desktop firewalls: they lull users into a sense of security that they cannot really provide. Up to now, hackers have needed little more than a bit of imagination to get around any personal firewall software and secretly send data from a computer across the Internet. Furthermore, each additional piece of software increases the complexity of a system and hence its susceptibility to errors.

See also:

• Security warning from Ben Goulding regarding Firewall GUIs with system rights
• Outpost Firewall Pro secretely fixing security flaws?, Security warning regard Outpost's filter driver at Full Disclosure

(ehe)