I did a search of the forum to see if anyone had posted this information & the search didnt find anything so here goes.........

A security vulnerability exists in specific versions of ZoneAlarmÂÂÂà ‚®, ZoneAlarm Pro, ZoneAlarm Plus & the Zone Labs Integrity↞¢ client. This vulnerability is caused by an unchecked buffer in Simple Mail Transfer Protocol (SMTP) processing which could lead to a buffer overflow. In order to exploit the vulnerability without user assistance, the target system must be operating as an SMTP server. Zone Labs does not recommend using our client security products to protect servers.

Upgrading an affected Zone Labs product will remove this vulnerability.

Date Published: February 18, 2004
Last Update: February 18, 2004

Impact: If successfully exploited, a skilled attacker could cause the firewall to stop processing traffic, execute arbitrary code, or elevate malicious codeâ₠¬Ã¢â€žÂ¢s privileges.

Zone Labs recommends affected users update their software to the current versions which address the issue.

Affected Products:

ZoneAlarm family of products and Integrity client versions 4.0 and above.

Unaffected Products:

ZoneAlarm and Integrity client versions earlier than 4.0.
Integrity Server & Integrity Clientless Security products are not affected.

Description: Zone Labs desktop security products process SMTP in order to perform various security functions. Due to an unchecked buffer in the SMTP processing system, a skilled attacker could cause the firewall to stop processing traffic or execute arbitrary code.

Successful exploitation requires one of the following scenarios and applies only to SMTP traffic:

A program listening on port 25/TCP (SMTP) of the target system. This condition is usually only present on SMTP servers. Zone Labs does not recommend using our client security products to protect servers.

A malicious program running on the protected system could trigger the buffer overflow and gain SYSTEM privileges if the user or administrator has given it permission to access the network.

In all cases, the program requesting network access must be approved by the user through the Program Control policy.

Recommended Actions: ZoneAlarm, ZoneAlarm Plus, & ZoneAlarm Pro users should upgrade to version: 4.5.538.001.

To update your Zone Labs client product:

Select Overview > Preferences.
In the Check for Updates area, choose an update option.

Automatically: Zone Labs security software automatically notifies you when an update is available.

Manually: You monitor the Status tab for updates. To invoke an update check immediately, click "Check for Update".

Integrity 4.0 users should upgrade to Integrity client version: 4.0.146.046.

Integrity 4.5 users should upgrade to Integrity client version: 4.5.085.

Integrity updates are available on the Zone Labs Enterprise Support web site.

Alert Link (http://download.zonelabs.com/bin/free/securityAlert/8.html)

A security vulnerability exists in specific versions of ZoneAlarmÂÂÂà ‚®, ZoneAlarm Pro, ZoneAlarm Plus & the Zone Labs Integrity↞¢ client. This vulnerability is caused by an unchecked buffer in Simple Mail Transfer Protocol (SMTP) processing which could lead to a buffer overflow. In order to exploit the vulnerability without user assistance, the target system must be operating as an SMTP server. Zone Labs does not recommend using our client security products to protect servers.

Upgrading an affected Zone Labs product will remove this vulnerability.

Date Published: February 18, 2004
Last Update: February 18, 2004

Impact: If successfully exploited, a skilled attacker could cause the firewall to stop processing traffic, execute arbitrary code, or elevate malicious codeâ₠¬Ã¢â€žÂ¢s privileges.

Zone Labs recommends affected users update their software to the current versions which address the issue.

Affected Products:

ZoneAlarm family of products and Integrity client versions 4.0 and above.

Unaffected Products:

ZoneAlarm and Integrity client versions earlier than 4.0.
Integrity Server & Integrity Clientless Security products are not affected.

Description: Zone Labs desktop security products process SMTP in order to perform various security functions. Due to an unchecked buffer in the SMTP processing system, a skilled attacker could cause the firewall to stop processing traffic or execute arbitrary code.

Successful exploitation requires one of the following scenarios and applies only to SMTP traffic:

A program listening on port 25/TCP (SMTP) of the target system. This condition is usually only present on SMTP servers. Zone Labs does not recommend using our client security products to protect servers.

A malicious program running on the protected system could trigger the buffer overflow and gain SYSTEM privileges if the user or administrator has given it permission to access the network.

In all cases, the program requesting network access must be approved by the user through the Program Control policy.

Recommended Actions: ZoneAlarm, ZoneAlarm Plus, & ZoneAlarm Pro users should upgrade to version: 4.5.538.001.

To update your Zone Labs client product:

Select Overview > Preferences.
In the Check for Updates area, choose an update option.

Automatically: Zone Labs security software automatically notifies you when an update is available.

Manually: You monitor the Status tab for updates. To invoke an update check immediately, click "Check for Update".

Integrity 4.0 users should upgrade to Integrity client version: 4.0.146.046.

Integrity 4.5 users should upgrade to Integrity client version: 4.5.085.

Integrity updates are available on the Zone Labs Enterprise Support web site.

Alert Link (http://download.zonelabs.com/bin/free/securityAlert/8.html)

Thanks for the heads up !! :eek: :eek: :eek:

Can this be made sticky !!! ?

Thanks for the heads up !! :eek: :eek: :eek:

Can this be made sticky !!! ?

If you pm a mod yes (i have asked for usful post/info/links to be made perm/sticky before & it has fallen on deaf ears)

If you pm a mod yes (i have asked for usful post/info/links to be made perm/sticky before & it has fallen on deaf ears)

PM on the way m8

Thank goodness I updated on Friday.

PM on the way m8

Slightly off on a tangent I posted a link for you to have alook at for a cheap DLink 300G (http://forum.nthellworld.co.uk/showpost.php?p=147705&postcount=24) in the ADSL in the Alternatives to NTL forum did you catch it?

Slightly off on a tangent I posted a link for you to have alook at for a cheap DLink 300G (http://forum.nthellworld.co.uk/showpost.php?p=147705&postcount=24) in the ADSL in the Alternatives to NTL forum did you catch it?

Yep - thanks m8 - Thats the one I am going for when I move........

BTW - Is it only the free version of ZA that is afected ?

Yep - thanks m8 - Thats the one I am going for when I move........

BTW - Is it only the free version of ZA that is afected ?

A security vulnerability exists in specific versions of ZoneAlarmÂÂÂà ‚®, ZoneAlarm Pro, ZoneAlarm Plus & the Zone Labs Integrity↞¢ client. This vulnerability is caused by an unchecked buffer in Simple Mail Transfer Protocol (SMTP) processing which could lead to a buffer overflow. In order to exploit the vulnerability without user assistance, the target system must be operating as an SMTP server. Zone Labs does not recommend using our client security products to protect servers.

Yep - thanks m8 - Thats the one I am going for when I move........

BTW - Is it only the free version of ZA that is afected ?

doesn't seem so - I use ZA Pro & got an 'upgrade available' link :)

To be on the safe side if i was using the free version i would download it again today & re-install it.

doesn't seem so - I use ZA Pro & got an 'upgrade available' link :)

Hmm strange.

Using Zone Alaram Pro here as well installed in January and when choose the option to upgrade am presented with the following -

Important Notice:

A current annual update and support subscription is required to install this updated version!

If you wish to remain eligible for this product release you will need to purchase an Annual Update and Support Renewal.

Your Renewal Options:

2-year Stay secure into 2006 $34.95 per user (SAVE $5)
To order a two-year Update and Support Renewal click here.

1-year Stay secure into 2005 $19.95 per user
To order a one-year Update and Support Renewal click here.


Please note: Your update to ZoneAlarm Pro will be presented to download after your Update and Support Subscription purchase.

:)

The latest Zone Alarm Pro version is zapSetup_45_538_001 (4,891kb)

when I boot, I get Za telling me there is an important update (version 4.5.538.001). Thing is, I've already installed it twice...

Anyone else getting this? If you follow the download link, it just downloads this file to your downloads folder. I've installed this twice now (using the upgrade rather than clean install option), I've installed it twice, but it doesn't seem to register?

when I boot, I get Za telling me there is an important update (version 4.5.538.001). Thing is, I've already installed it twice...

Anyone else getting this? If you follow the download link, it just downloads this file to your downloads folder. I've installed this twice now (using the upgrade rather than clean install option), I've installed it twice, but it doesn't seem to register?

did you check the ' I want to register' button during the installation?

My ZAP is still pending after 7hrs of a clean install

The registration of this copy of ZoneAlarm Pro with Web Filtering is pending
(that should say Pondering) :)

did you check the ' I want to register' button during the installation?

Just tried that, re-upgraded (3rd time), rebooted, but no change. It still tells me there's a critical update. (running ZA free version on XP) :confused:

Just tried that, re-upgraded (3rd time), rebooted, but no change. It still tells me there's a critical update. (running ZA free version on XP) :confused:

May be a silly question but have you allowed the registration part of zonealarm access to the internet ?

Just tried that, re-upgraded (3rd time), rebooted, but no change. It still tells me there's a critical update. (running ZA free version on XP) :confused:

pro here - the upgrade installed with no probs, maybe it only effects the free version? - could it be firewall settings?

\win98se

pro here - the upgrade installed with no probs, maybe it only effects the free version? - could it be firewall settings?

\win98se
Just upgraded here too ... pro ... no probs at all :D

May be a silly question but have you allowed the registration part of zonealarm access to the internet ?

I didn't get a ZA popup asking about it, but I'm looking into it now...

Right, I've given ZA extra privileges now, re-upgraded, and rebooted. I'll try the clean install option now. If that doesn't solve it, I don't know what will...

Well have now ignored the important update pop up and gone to the site manually to download the update an am still presented with the pay to upgrade option -

Important Notice:

A current annual update and support subscription is required to install this updated version!

If you wish to remain eligible for this product release you will need to purchase an Annual Update and Support Renewal.

Your Renewal Options:

2-year Stay secure into 2006 $34.95 per user (SAVE $5)
To order a two-year Update and Support Renewal click here.

1-year Stay secure into 2005 $19.95 per user
To order a one-year Update and Support Renewal click here.


Please note: Your update to ZoneAlarm Pro will be presented to download after your Update and Support Subscription purchase.

WTF pay again as the version I have was only installed in January.

Any ideas.

:D

Well have now ignored the important update pop up and gone to the site manually to download the update an am still presented with the pay to upgrade option -

Important Notice:

A current annual update and support subscription is required to install this updated version!

If you wish to remain eligible for this product release you will need to purchase an Annual Update and Support Renewal.

Your Renewal Options:

2-year Stay secure into 2006 $34.95 per user (SAVE $5)
To order a two-year Update and Support Renewal click here.

1-year Stay secure into 2005 $19.95 per user
To order a one-year Update and Support Renewal click here.


Please note: Your update to ZoneAlarm Pro will be presented to download after your Update and Support Subscription purchase.

WTF pay again as the version I have was only installed in January.

Any ideas.

:D

Hmmmm. Havbe you tried a re-install of the software ?

Is your system clock correct ?

I've done a clean install rather than upgrade now, and if I click the 'check for an update' button, it still tells me I need to upgrade....

Well have now ignored the important update pop up and gone to the site manually to download the update an am still presented with the pay to upgrade option -
Download the demo version .... it should detect that you have it already and upgrade as normal ..

TBH - I doubt 99% of you have anything to worry about - how many of you are actually running SMTP servers on your pc (which is a requirement to exploit this bug).