Windows DNS bug fix can impair firewalls, including ZoneAlarm
BetaNews has confirmed through its own testing this morning that a critical patch, released yesterday by Microsoft as part of a worldwide DNS bug fix effort, can and does impact the functionality of software firewalls.
Multiple reports from users since yesterday afternoon have complained of systems incapable of contacting the Internet after having implemented patch KB951748. This patch makes a major change to the way the operating system handles DNS requests. Specifically, it implements a system that enables source port randomization -- a way to scramble the address from which a request is placed -- as a security measure to thwart malicious users from being able to craft false DNS responses, and thus "poison" the caches of DNS servers.
It is a very serious fix to what could have been a catastrophic exploit, and it's being implemented not just on Windows but on Linux, and within routers and other network equipment as well. It's a major cooperative effort, but one side effect for now, due to an apparent lack of cooperation among software vendors, is that some software firewalls may need to be disabled, throttled back, or turned off altogether while a fix is under way.
In BetaNews tests, we installed the latest commercial edition of ZoneAlarm Pro (version 7.0.470, not a beta) on a virtual Windows XP Professional SP3 virtual machine, which we verified as having perfect Internet connectivity after the install. We then installed patch KB951748 from Windows Update and rebooted the VM. No Internet utility or browser was able to connect to the Internet afterward. This while the VM was running on a Windows XP SP3 physical system without the patch installed, though with ZoneAlarm Pro and with fully working Internet connectivity. Not even the PING utility would work from the virtual system's command line.
Connectivity between the virtual system and other physical systems in the local network, however, was unimpaired by the patch.
The workaround is a simple one in this case: After changing ZoneAlarm Pro's default Internet Zone security setting from High to Medium, we were able to re-establish connectivity through Web browsers. However, PING in the command line still would not function, timing out on every legitimate instruction.
BetaNews does not recommend "resetting the ZoneAlarm database" as some sources have suggested.
Reports from ZoneAlarm users on the product's online forum include two from administrators who uninstalled Microsoft's patch, restoring connectivity to their systems, only to find that Automatic Updates automatically reinstalled the patch once connectivity was restored. One user reported the problem to his Cablevision customer service representative, who informed him it was receiving multiple reports from others, and that the problem was apparently "universal."
It isn't as if this problem wasn't anticipated. Yesterday, a statement from ZoneAlarm's parent company, CheckPoint Software Technologies, advised its business customers for other lines of products that those products already provided protection against any DNS problem, effectively advising them not to employ the patch, at least not right away.
"DNS cache poisoning threats, such as the one published today, strike at the very heart of the Internet in an effort to direct users to malicious sites," stated CheckPoint's vice president of network security products, Oded Gonda. "Check Point's VPN-1 and Connectra products thwart hackers' attempts to take advantage of this latest DNS cache poisoning technique by randomizing both the source port and request ID without a need to immediately patch multiple workstations in the organization."
The statement did not mention ZoneAlarm except for the company's usual boilerplate text at the end. BetaNews is attempting to contact CheckPoint for further comment regarding its plans for handling the personal firewall breakdown; although in a development which may or may not be related to this problem, our messages to our usual contacts are all bouncing back.
4:42 pm ET July 9, 2008 - An IT administrator working with one of the nation's largest insurance firms contacted BetaNews this afternoon, urging us to clarify our use of the term "critical" in our header paragraph. Microsoft listed the patch not as "critical" in its vocabulary, but rather "important."
This distinction is apparently very important in the assessment of damages that may result from not implementing the fix.