Over the past month, I've discussed personal firewalls twice. In addition, we conducted a poll asking whether you use a personal firewall at home or work. The results are in and reveal that most people use the devices at both home and work. Be sure to read the results in the Announcements section of this newsletter.
I bring this topic up again because over the past week I became aware of some interesting findings about personal firewalls. Most personal firewalls govern access based on applications and port mappings. This methodology is a good approach, but as Steve Gibson of Gibson Research points out, it leaves the potential for Trojans to exploit that application and port relationship. Exploits are possible when a Trojan carries the same executable file name as an application authorized for access through the firewall. For example, an intruder could insert a Trojan called iexplore.exe, which is the real filename for the Internet Explorer (IE) application, and because the firewall probably allows two-way access for IE, the Trojan can communicate through the firewall.
Gibson found that many popular personal firewalls, including Black Ice Defender, Norton Personal Firewall, and McAfee Personal Firewall, are vulnerable to this type of attack. Why? Most personal firewalls don't perform adequate checksum analyses on the applications they control. Checksums ensure that an intruder hasn't tampered with a file. As far as I know, ZoneAlarm is the only personal firewall that performs this level of file-integrity testing; however, I've read a report that says Symantec will update its firewall with this type of feature soon.
Gibson released a new tool called Leaktest that checks security on your personal firewall. The new tool determines whether your system is susceptible to the described type of Trojan infection. The program masquerades as various applications and attempts to pass traffic to the Internet. Download a copy here and give it a try.
I also want to revisit Microsoft's new security bulletin style, which I discussed last week. Many people are upset about the new reporting style because it doesn't offer any information. Instead, the new bulletins refer people to Microsoft's Web site for details. Microsoft says this approach lets it better control information accuracy over time by keeping the information centrally stored in its databases. However, some mailing list operators prefer disseminating the entire vulnerability report to their readers, which is no longer possible under the new style because of Microsoft copyright restrictions.
Others complain that the new style costs them money because they often receive security reports on their mobile devices, and because the reports no longer contain details, they have to visit the Microsoft Web site to learn whether the problem pertains to them. This approach means more time online and more data transmitted, which equates to a higher cost for mobile devices users.
What's your opinion? Take our latest poll on our home page and tell us whether you like Microsoft's new security bulletin style. And if you have suggestions or comments you want to share with Microsoft about this matter, you can send them to the mailbox at [email protected], which the company established for this sole purpose.
One final note before I sign off: If you partner with businesses that operate Web sites on behalf of your company, be sure to keep a close eye on the security of those sites. Microsoft is learning this lesson the hard way. Be sure to read the news report in this newsletter about how two of the company's sweepstakes Web sites (which were third-party operated) recently exposed the personal information of more than 50,000 Web site users. Until next time, have a great week.
