ZoneAlarm ShowHTMLDialog function obtain information

zonealarm-showhtmldialog-obtain-information (22971) The risk level is classified as MediumMedium Risk

Description:

ZoneAlarm could allow a remote attacker to obtain sensitive information. If the default Web browser has authorization to access the World Wide Web, a remote attacker can create a program that uses the ShowHTMLDialog() function to create a modal dialog box to display HTML, which can be used to redirect the victim to the attacker's Web site. The attacker can then obtain sensitive information and possibly send command instructions to the compromised system.

Platforms Affected:

  • ZoneLabs, ZoneAlarm 6.0
  • ZoneLabs, ZoneAlarm Anti-Spyware 6.0
  • ZoneLabs, ZoneAlarm Anti-Spyware 6.1
  • ZoneLabs, ZoneAlarm Antivirus 6.0
  • ZoneLabs, ZoneAlarm Pro 6.0
  • ZoneLabs, ZoneAlarm Security Suite 6.0

Remedy:

No remedy available as of August 16, 2008.

Consequences:

Obtain Information

References:

  • BugTraq Mailing List, Mon Nov 07 2005 - 12:46:04 CST, Zone Labs Products Advance Program Control and OS Firewall (Behavioral Based) Technology Bypass Vulnerability at http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0161.html.
  • Zone Labs Web site, Zone Labs: Zone Labs, Internet security products, online safety, software, protection at http://www.zonelabs.com/store/content/home.jsp.
  • BID-15347: Zone Labs Zone Alarm Advance Program Control Bypass Weakness
  • CVE-2005-3560: Zone Labs (1) ZoneAlarm Pro 6.0, (2) ZoneAlarm Internet Security Suite 6.0, (3) ZoneAlarm Anti-Virus 6.0, (4) ZoneAlarm Anti-Spyware 6.0 through 6.1, and (5) ZoneAlarm 6.0 allow remote attackers to bypass the Advanced Program Control and OS Firewall filters setting via URLs in HTML Modal Dialogs (window.location.href) contained within JavaScript tags.
  • OSVDB ID: 20677: ZoneAlarm ShowHTMLDialog() Outbound Filter Bypass
  • SA17450: ZoneAlarm Personal Firewall Program Control Feature Bypass

Reported:

Nov 07, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page