ZoneAlarm: internet access restored
Checkpoint has published an update of its ZoneAlarm products to remedy the internet blockade caused by the installation of Microsoft's DNS patch. The patch from Redmond remedied a security vulnerability where Windows XP and 2000 selected a static port from within a limited range of ports, for name server queries. The Microsoft patch provides a more dynamic choice of port. As a result ZoneAlarm Firewall blocks such queries, because it's not prepared for the change in port selection and Windows is not able to resolve names for IP addresses, therefore blocking all internet access.
To download the update, affected users of ZoneAlarm first have to make their firewall settings somewhat less restrictive. The vendor says that the firewall for the "Internet zone" has to be set to medium. Because the updates are currently only available in English, non-English speakers will have to make do with the English version if they want to go online soon. Checkpoint also says that uninstalling Microsoft patch KB951748 also fixes the problem. This approach can be used as a workaround until other language versions are released, because no attacks are known at the moment, and stub resolvers are not especially hot targets for attackers.
The switch to more dynamically chosen source ports became necessary when a security expert demonstrated that forged DNS replies could be used to manipulate name resolution. It is not clear, however, why Microsoft's patches caught Checkpoint off guard. After all, all major vendors have known about the problem since March and have been working jointly on a solution in order to release updates simultaneously.
- Workaround to Sudden Loss of Internet Access Problem, ZoneAlarm security advisory