Re: [Full-Disclosure] Unsecure file permission of ZoneAlarm pro.

[stephane nasdrovisky <stephane.nasdrovisky@xxxxxxxxxxxxx>]

John LaCour wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> There is absolutely no security issue here.
>
> ZoneAlarm does not rely on file permissions to protect
> any configuration files.   Configuration files are protected 
> by our TrueVector(r) driver in the kernel. 
>
> In addition to protecting configuration files against 
> unauthorized changes, there are additional integrity checks and other
> protection mechanisms implemented for all policy configuration 
> files.  Should any policy configuration files fail integrity
> checks, the firewall will fail closed.
>
> Again, no issue.
>
>  
>
> > Zone Alarm stores its config. files in %windir%\Internet Logs\* . But strangely, 
> >    
Isn't it supposed to store logs ? My english knowledge is probably too poor.

> > EVERYONE: Full 
> >    
As everybody knows, windows * is a single user system on which you can 
only install zonealarm, no other software, especially no software using 
this directory for storing any kind of information. As I understand the 
zap answer: Kidding with file permissions is not an issue on any os... 
unless, maybe, if you wish to use your system.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html