Firewalls--as safe as you think?

PC protection software such as Zone Lab's ZoneAlarm and Symantec's Norton Internet Security fare well against outside attacks, but Trojan horses and worms that infect the machine can easily dodge the firewall's blocks and access the Net, said Robin Keir, chief software engineer for security services company Foundstone.

"Personal firewalls were not traditionally for stopping malicious programs from running on your computer," he said. Keir published a report and tool illustrating one set of flaws that allows a program to sneak out private data using Microsoft's Internet Explorer and AOL Time Warner's Netscape browsers.

The program takes advantage of aspects of Microsoft's Windows operating system architecture that lets one program control another, a feature that could be used to let an employee training application take control of a program as part of a demonstration or to record keystrokes and track the mouse.

"I wondered if Microsoft had forgotten about this seldom-used program," Keir said. "Makes me wonder if they brushed it underneath the carpet and forgot about it."

Keir's program, called Firehole, employs a reusable piece of program known as a DLL (dynamic linked library) to trick the Internet browser into allowing the program to send data.

Personal firewall makers acknowledged the problem but stressed that the security flaw isn't theirs.

"No. 1, this is really a Microsoft bug," said Gregor Freund, president of firewall creator Zone Labs. "Every security expert has asked Microsoft to fix this. When one application can insert itself into another application's space, then all sorts of problems occur."

Zone Labs is experimenting with a "workaround" that blocks the ability of one program to control another application. However, dismantling the control feature could make Windows unstable, Freund said.

A Microsoft representative said the company first heard of the problem when called by CNET News.com. Security researchers at the software giant are studying the issue, which Foundstone's Keir believes to affect all Windows operating systems, including its recently released Windows XP.

Keir said that just fixing this particular flaw doesn't make sense because other variations could be as effective.

"The premise behind all these kinds of exploits is that you have to get the malicious code onto your computer in the first place," he said. "If you have an antivirus program or you have set up an e-mail program securely, then you are safe." He added that keeping malicious programs off the computer is the only way to make sure information is not leaked to the Internet.

Tom Powledge, group product manager of Symantec's Norton Internet Security, agreed, saying that while the company will investigate the issue, it has always advised its customers to use the personal firewall in conjunction with antivirus software.

"We sell Norton Internet Security in that suite configuration because we think all these measures need to be taken," he said. "Antivirus is a key part of finding and detecting any code running on your system. Antivirus is the way that people need to be finding these things."