Zone Labs Security Advisory: Ad-Blocking Instability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
____________________________________________________________
Zone Labs Security Advisory ZL04-019
Zone Labs Ad-Blocking Instability
Date Published November 18, 2004
Date Last Revised November 18, 2004
Severity Low
____________________________________________________________
Overview
- -------
ZoneAlarm Security Suite and ZoneAlarm Pro have been updated
to address a vulnerability in their ad-blocking functions.
Specially crafted JavaScript may cause a user's system to
become unstable or lock.
Impact
- -----
The ad-blocking feature in Zone Labs products is turned off
by default. If this feature has not been enabled, you are
not impacted by this vulnerability.
Specially crafted JavaScript placed on a malicious website
may cause the software to become unstable and/or lock the
system.
This issue presents no other risks to the computer user.
Affected Products
o ZoneAlarm Security Suite, ZoneAlarm Pro
Unaffected Products
o No other Zone Labs products are affected by this issue
Description
- ----------
ZoneAlarm Security Suite and ZoneAlarm Pro provide features
to block specific types of advertising from websites.
However, using specially crafted JavaScript, a malicious web
page could cause the software or system to lock.
This vulnerability requires two specific prerequisites:
o Ad-blocking must be enabled
o The user must view a website with malicious Java
Script
This vulnerability has been resolved in version 5.5.062 of
affected Zone Labs products. Version 5.5.062 was released on
November 8, 2004.
Users configured to receive automatic product updates will
receive this update automatically. Users configured to
receive manual updates should use the "Check For Update"
option -- see the Recommended Actions section below.
Recommended Actions
- ------------------
ZoneAlarm Security Suite and ZoneAlarm Pro users will
receive the update through a product update.
o Users with automatic updates:
You receive the update automatically. No further
action is required.
o Users with manual updates:
To manually update your Zone Labs software:
1. Select Overview | Preferences.
2. In the Check For Update section, click
"Check For Update".
3. If neccesary, follow the instructions to update
your software.
ZoneAlarm Security Suite and ZoneAlarm Pro versions 5.5.062
and newer are not impacted by this issue.
Related Resources
o Zone Labs Security Response Center:
http://www.zonelabs.com/security
Acknowledgments
Zone Labs would like to thank Nicolas Robillard for
reporting this issue.
Contact
Zone Labs customers may direct vulnerability concerns or
additional technical questions to the Technical Support
group at:
http://www.zonelabs.com/support/
To report security issues with Zone Labs products contact:
security@xxxxxxxxxxxx
Disclaimer
The information in the advisory is believed to be accurate
at the time of publishing based on currently available
information. Use of the information constitutes acceptance
for use in an AS IS condition. There are no warranties with
regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or
reliance on, this information. Zone Labs and Zone Labs
products, are registered trademarks of Zone Labs, LLC.
and/or affiliated companies in the United States and other
countries. All other registered and unregistered trademarks
represented in this document are the sole property of their
respective companies/owners.
Copyright
(C) 2004 Zone Labs LLC. All rights reserved. Zone Labs,
TrueVector, ZoneAlarm, and Cooperative Enforcement are
registered trademarks of Zone Labs, LLC. The Zone Labs logo,
and IMsecure are trademarks of Zone Labs, LLC. Zone Labs
Integrity protected under U.S. Patent No. 5,987,611. Reg.
U.S. Pat. & TM Off.. All other trademarks are the property
of their respective owners.
Any reproduction of this alert other than as an unmodified
copy of this file requires authorization from Zone Labs.
Permission to electronically redistribute this alert in its
unmodified form is granted. All other rights, including the
use of other media, are reserved by Zone Labs, LLC.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQZ0q3VDxXw2Is3mLEQLY0wCgj4FTb/bhYWkO5hMkrXyAMqoAsHsAn3Xk
DzdpDDdG2hOHohckhaltdhjT
=KcGb
-----END PGP SIGNATURE-----