Personal Firewalls Fail the Leak Test

Fri Dec 8 22:00:15 PST 2000

By Brian McWilliams 
In an attempt to show that personal firewalls may afford their users little protection against serious threats, a respected PC security expert has released a new software tool that pokes holes in many of the leading desktop security packages. 

Security-conscious Internet users, especially those on broadband connections, have made desktop firewall software into a booming business for companies like Symantec and Network Associates. But according to Steve Gibson, president of Gibson Research, almost all of these utilities only provide "pseudo protection" against attacks. That's because they put most of their effort into blocking incoming hacker attacks, while paying only scant attention to what he calls internal extrusion. 

"I really believe the problem of software in your computer misbehaving is much bigger than the problem of hacker attacks. Most people don't have any vulnerabilities; there's nothing a hacker can do to you. So I argue against the necessity of any kind of inbound blocking tool," said Gibson. 

To prove his point, Gibson has developed a free utility called LeakTest. The 27-Kbytes program is a trojan-horse/spyware simulator that attempts to slip past a personal firewall's defenses and connect to a server on the Internet. 

Not surprisingly, popular intrusion detection programs like BlackIce Defender from Network Ice fail to catch the outgoing connection and report it to the user. But more disturbingly, several firewalls that claim to offer outbound detection are also fooled by LeakTest. Among them, the best selling Norton Personal Firewall and McAfeeFirewall. 

Both are among a small number of desktop firewall programs that attempt to address the problem of unauthorized outbound leakage, but Gibson says they fall short and can be easily fooled or bypassed because they come pre-programmed to allow some applications to pass through the firewall. 

"This idea of allowing all these apps pre-approval is ludicrous. It's trivial to get permission out of the firewall without notifying the user," said Gibson, who observed that only one firewall, ZoneLab's ZoneAlarm, prevents malware from masquerading as a trusted program. 

"They do a cryptographic signature of the programs you're allowing. That's not hard to do, but they're the only ones who do it," he said. 

Tom Powledge, Symantec's product manager for Norton Internet Security, said the risks outlined by Gibson are low if users are running both a firewall and anti-virus software. And he said Symantec knows of no instances of programs that specifically target Norton Personal Firewall, which is shipped with NIS. 

But in response to Gibson's critique, Symantec plans to revise the application integrity checking feature in NIS, with an update available to users over Live Update by early next week. In the meantime, Powledge said concerned users can turn off automatic firewall rule creation. 

Judging by comments on the LeakTest message board at Gibson's site, plenty of users are concerned about the newly exposed porosity of their favorite firewall software. But Symantec's Powledge said their fears could have been avoided if Gibson had given vendors the customary advance notice before releasing LeakTest. 

"We were seeing no concern about this, and no exploits have been written. And while this makes customers aware of a potential issue, it also makes hackers aware," said Powledge. 

But Gibson, who had an earlier run-in with RealNetworks over the privacy behavior of its RealDownload product, said he's learned that unless pressure is brought to bear, companies are resistant to change. 

"These firewalls are not going to get better unless there's someone saying and able to prove -- and to enable the user to prove -- that these things are junk." 