Personal firewalls could leak private info

Consumers protecting their PCs with personal firewalls should not feel too comfortable in their defence methods, according to a security researcher.

PC protection software such as Zone Labs' ZoneAlarm and Symantec's Norton Internet Security fare well against outside attacks, but Trojan horses and worms that infect the machine can easily dodge the firewall's blocks and access the Net, said Robin Keir, chief software engineer for security services company Foundstone.

"Personal firewalls were not traditionally for stopping malicious programs from running on your computer," he said. Keir published a report and tool illustrating one set of flaws that allows a program to sneak out private data using Microsoft's Internet Explorer and AOL Time Warner's Netscape browsers.

The program takes advantage of aspects of Microsoft's Windows operating system architecture that lets one program control another, a feature that could be used to let an employee training application take control of a program as part of a demonstration or to record keystrokes and track the mouse.

"I wondered if Microsoft had forgotten about this seldom-used program," Keir said. "Makes me wonder if they brushed it underneath the carpet and forgot about it."

Keir's program, called Firehole, employs a reusable piece of program known as a DLL (dynamic linked library) to trick the Internet browser into allowing the program to send data.

Personal firewall makers acknowledged the problem but stressed that the security flaw isn't theirs.

"No. 1, this is really a Microsoft bug," said Gregor Freund, president of firewall creator Zone Labs. "Every security expert has asked Microsoft to fix this. When one application can insert itself into another application's space, then all sorts of problems occur."

Zone Labs is experimenting with a "workaround" that blocks the ability of one program to control another application. However, dismantling the control feature could make Windows unstable, Freund said.

A Microsoft representative said the company first heard of the problem when called by CNET News.com. Security researchers at the software giant are studying the issue, which Foundstone's Keir believes to affect all Windows operating systems, including its recently released Windows XP.

Keir said that just fixing this particular flaw doesn't make sense because other variations could be as effective.

"The premise behind all these kinds of exploits is that you have to get the malicious code onto your computer in the first place," he said. "If you have an antivirus program or you have set up an email program securely, then you are safe." He added that keeping malicious programs off the computer is the only way to make sure information is not leaked to the Internet.

Tom Powledge, group product manager of Symantec's Norton Internet Security, agreed, saying that while the company will investigate the issue, it has always advised its customers to use the personal firewall in conjunction with antivirus software.

"We sell Norton Internet Security in that suite configuration because we think all these measures need to be taken," he said. "Antivirus is a key part of finding and detecting any code running on your system. Antivirus is the way that people need to be finding these things."

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.