Side effects of Behavioural Blocking in ZoneAlarm
ZoneAlarm has a "Behavioural Blocker" (OSFirewall) that is intended to prevent malicious programs from manipulating, for example, the registry. But according to security service provider MatouSec Security, the filter driver installed for that purpose contains an implementation flaw that can cause the system to crash and require rebooting.
The Behavioural Blocker monitors such Windows API functions as RegSaveKey, RegRestoreKey and RegDeleteKey. If, however, a combination of these functions is used on the registry key HKLM\SYSTEM\CurrentControlSet\Services\VETFDDNT\Enum, the OSFirewall no longer works, the security advisory states. Because the filter driver works in the kernel mode (ring 0), the flaw drags the entire system down into digital oblivion.
In the latest Zone Alarm version 6.5, the developers have improved the filter driver somewhat so that, according to MatouSec, the attack has to be conducted twice for the system to crash. The advisory states that it does not matter whether the modifications to the registry reported by OSFirewall are allowed.
The security experts who discovered the flaw have provided a program to demonstrate this behaviour in their security advisory. However, in a test conducted by heise Security using ZoneAlarm 6.5.725.000, the problem could not be reproduced. According to the report, ZoneAlarm Internet Security Suite 6.5.722.000 and 6.1.737.000 are affected. ZoneAlarm Pro 6.1.744.001 is not affected, neither are any versions of ZoneAlarm Free and Pro in all probability.
- ZoneAlarm Insufficient protection of registry key 'VETFDDNT\Enum' Vulnerability, security advisory at MatouSec Security
- Download of ZoneAlarm Free