Security crusader punches holes in firewalls

In response, firewall vendors are scrambling to plug the holes detected by Gibson's Trojan, dubbed LeakTest, or are clarifying their software's capabilities.

LeakTest, available as a free download from Gibson Research, exploits what Gibson claims is a common weakness in most firewalls: the way they exempt "trusted" Internet applications from firewall restrictions.

Only one major firewall vendor -- ZoneAlarm -- does not use a method that Gibson claims LeakTest can exploit. Other vendors, including Symantec, McAfee.com, and Sygate, say they're working on modifications now.

Identifying friendly programs

The problem is in the common approach firewall programs use to block dangerous incoming traffic. Typical attacks come from hackers trying to access user files, or to fell a machine by flooding it with meaningless data -- known as a denial-of-service attack.

Most often, firewalls identify approved applications by name and their choice of ports. That's not enough, Gibson says. Like its mythical namesake, a Trojan horse program attacks from within, breaching a PC's defenses by simple trickery. Similar to viruses, Trojans masquerade as harmless or even useful programs that people exchange by e-mail or download. Once installed, Trojans open specific Internet connections, called ports, that hackers can exploit.

Since many legitimate programs -- such as Web browsers, e-mail clients, and instant messengers -- also open ports, the firewall's job is to distinguish trustworthy applications from nefarious ones. Gibson maintains any Trojan horse can easily be renamed and choose appropriate ports to disguise itself as a trusted application.

"There was no protection against one program pretending to be another just by changing the file name," Gibson says. He says he proves it with LeakTest, inviting anyone to download the 26K program and rename it from a list of programs trusted by Symantec's Norton Personal Firewall. When run, LeakTest initiates a connection with Gibson's server to test whether data escapes the firewall. The communication only confirms the firewall's vulnerability and does not transmit any personal data from the tester's PC, Gibson says.

Gibson got 'em, vendors say

Gibson's test indeed exploits a weakness in firewall products, say representatives of several major vendors.

Norton Personal Firewall 2001 can't distinguish between the real version of a program like Microsoft Internet Explorer and a renamed Trojan, such as the infamous Back Orifice 2000, says Tom Powledge, Symantec's senior product manager for consumer products.

"In this case, [Norton Personal Firewall] would not block it," says Powledge of LeakTest and other crafty Trojans.

McAfee.com's security architect Sam Curry agrees that McAfee.com Personal Firewall could also be fooled, since it "simply looks at the name of the executable." Both Powledge and Curry say they do not know of any actual malicious attacks based on Gibson's model. "But yes, it could be done," Curry says.

He adds that his company's firewall is based on the same architecture as the McAfee Firewall, sold by McAfee.com's former parent company, Network Associates.

Unlike the McAfee and Norton programs, Sygate Personal Firewall 2.1 does not have a built-in list of approved applications. However, one provision allows any applications through certain ports generally (but not necessarily) reserved for "legitimate" activities.

Representatives of another popular vendor, Network ICE, acknowledge that its intrusion detection/blocking program BlackICE would also fail Gibson's test, although they claim it would not fall prey to a truly malicious program.

BlackICE was not designed to identify programs that access the Internet, says Greg Gilliom, chief executive officer. Instead, it checks content of the actual data packets passing to and from the computer. BlackICE would permit LeakTest, because it is not doing anything harmful, Gilliom says.

"LeakTest is just a normal FTP client. As far as we're concerned, there's nothing malicious about that." But BlackICE would block a program that transmits suspicious packets, he says. For example, Gilliom says BlackICE Defender can identify the encryption patterns of Back Orifice 2000.

Gibson says the firewalls are too easily vulnerable. He modified his Trojan so it doesn't simply impersonate an approved application, but gives the firewall a new rule allowing entry of any application.

"There is nothing to prevent a Trojan from making its own entry" in the Application Lookup Engine (ALE) of Norton Personal Firewall, Gibson says. He expects most firewalls that predefine trusted applications share the flaw.

Only firewalls from Zone Labs were able to fend off LeakTest, Gibson says. The company's ZoneAlarm and ZoneAlarm Pro passed the test, he says, because they have a fundamentally different way to identify a trusted application. As a default, ZoneAlarm prohibits all traffic. It recognises no applications as trusted, verifying them one by one as they first run.

Unlike many other firewalls, however, ZoneAlarm does not identify applications by name or choice of ports. Instead, it examines a program's actual code using a cryptographic standard called an MD5 checksum.

"It is conceptually infeasible to get any other program to produce the same MD5 signature," Gibson says.

Watch for online updates

Other firewall vendors are reexamining how their programs verify a program's identity. McAfee.com is already working on an MD5 checksum function for future versions of its firewall, Curry says. The company is also developing a patch to address Gibson's findings.

"Steve [Gibson]'s concerns are valid, and we are going to address them," Curry says. He advises users to check the McAfee.com for a patch this week.

Sygate Personal Firewall 4.0 will be a totally new version of the software and will incorporate the MD5 checksum, says John De Santis, Sygate chief executive officer. The company expects to post a patch for its 2.1 product that eliminates blanket permission for certain ports (but will not yet include the MD5 checksum) on its site this week.

A new firewall from Tiny Software was still in beta version during Gibson's tests, but it implements an MD5 checksum engine. It originally included a list of preapproved apps, but Tiny is reconsidering that approach in light of Gibson's criticism, says Brandon Talaich, Tiny's vice president of marketing. The version of the firewall's Trusted Application Mechanism will identify programs by their MD5 signatures.

Symantec is currently considering several methods, including an MD5 checksum, to more thoroughly verify a program's identity.

"We are going to address all the issues that were brought up by the LeakTest," Powledge says. Symantec has not decided whether to offer an interim fix or wait for a comprehensive update. But Powledge advises concerned customers to disable the program's automatic firewall rule generation. (A document on Symantec's site explains how.) Likewise, McAfee's Curry says uses of the McAfee.com Personal Firewall should watch the site for an update. "As an ASP, we can roll out upgrades like this to our entire user base very quickly," Curry notes.

Gibson keeps watch

And Zone Labs is neither bragging nor relaxing. No security product is 100 per cent safe, says Gregor Freund, president.

"You have to create a balance," Freund says. "Steve [Gibson] points out where that balance should be." Can the program be fooled? Users certainly can, he adds. The firewall will allow a program if the user authorises that program, but it trusts the customer's judgement.

"People have to understand that downloading a piece of software -- if they have no idea what it is or what it does -- is taking a risk," Freund adds.

For his part, Gibson expects to keep watching. He's already working on LeakTest 2.0, expecting everyone to quickly fix the flaws LeakTest 1.0 uncovers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sean Captain

PC World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?