winchester73
Administrator
Hero Member
 Offline
Posts: 4564
Half a bubble off plumb
|
 |
« on: July 08, 2008, 09:29:26 PM » |
|
For those of you using ZoneAlarm who installed the windows updates today, you probably already know that your internet connection has died. It appears that KB951748 made changes to the networking files that ZA doesn't see/recognize.
After two hours of messing around, I found an inelegant solution that will work temporarily ... set the Internet Zone Security permission slider from high to medium. The connection will be restored.
I discovered this after I finally figured out ZA was blocking my internet connections, and turned it off. Once everything worked again as normal, I started playing around and hit on this lowered permission setting.
I imagine the ZA forum will be full of better solutions, but thought this would get you back up and running in the short term.
|
|
|
|
|
Logged
|
|
|
|
winchester73
Administrator
Hero Member
Offline
Posts: 4564
Half a bubble off plumb
|
|
« Reply #1 on: July 08, 2008, 09:59:14 PM » |
|
Discussion here: http://www.dslreports.com/forum/r20759839-MS-update-KB951748-and-ZoneAlarm-PROBLEMPersonally, I'm not uninstalling/reinstalling ZA as suggested, nor am I wiping out all of my custom settings. For now, since I am hiding behind a router, I'll leave the Medium setting in place and await some sort of resolution after people have had a chance to think about it (without reacting first). |
|
|
|
|
Logged
|
|
|
|
Eric the Red
ISO/IEC 27001:2005
Administrator
Hero Member
Offline
Posts: 1458
Would somebody please pass me a beer!
|
|
« Reply #2 on: July 08, 2008, 10:23:53 PM » |
|
Please note, this update is not applicable to the following so should not appear on Auto Update:
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for Itanium-based Systems.
|
|
|
|
|
Logged
|
"The time to start running is around about the "e" in "Hey, you!" "Proud member  Since 2004 The information I provide is provided "AS IS" without warranty, and confers no rights.
|
|
|
dickw
Full Member
Offline
Posts: 244
Beautiful one day, perfect the next
|
|
« Reply #3 on: July 08, 2008, 10:47:07 PM » |
|
Greetings all, I have just completed on this PC downloading and installing - Update for Windows XP (KB951978)
- Security Update for Windows XP (KB951978)
- Windows Malicious Software Removal Tool (KB890830)
Rebooted, with no problems at all. I did check before doing so that my Zone Alarm Firewall was/is running on Medium so perhaps that is why I had no trouble.  |
|
|
|
|
Logged
|
Learning each day
"The true measure of a man is how he treats someone who can do him absolutely no good. - Samuel Johnson" (1709 - 1784)
|
|
|
|
sigma
|
|
« Reply #4 on: July 09, 2008, 10:40:12 AM » |
|
Who's been a busy bee? I saw your post at DSL reports when I became aware of reports of the problem. I hope you don't mind my further broadcasting your recommendation and linking to that post. Many thanks...  |
|
|
|
|
Logged
|
|
|
|
Corrine
The Mystical Rose
Administrator
Hero Member
Offline
Posts: 8716
"Stronger than the past, united in our goal."
|
|
« Reply #5 on: July 09, 2008, 01:34:04 PM » |
|
With further regard to the referenced Microsoft Update, KB 951748, it is an extremely important update and definitely should be installed. Unless you elect to replace ZA with another firewall, Winchester's work around is recommended. See Heise Security: Massive DNS security problem endangers the internetAlso from Heise Security: Microsoft patch day: nine plugged, two open This update appears to relate to the massive DNS security problems affecting multiple vendors. Amongst other things the patch ensures that the selection of the UDP source port for DNS queries is random. This may lead to problems with restrictive personal firewall configurations which rely on DNS queries always coming from the same port, resulting in users being disconnected from the internet. An allow rule, allowing UDP packets from arbitrary ports to UDP port 53 of the ISP's DNS server and the associated responses, is a possible workaround. The problem with Zone Alarm appears to be that it does not see the changes and continues to use the previously known files, ignoring the newer files provided in the update. |
|
|
|
|
Logged
|
 ,  Take a walk through the "Security Garden" -- Where Everything is Coming up Roses! Remember - A day without laughter is a day wasted. May the wind sing to you and the sun rise in your heart. |
|
|
|
|
|
Ripley
|
|
« Reply #7 on: July 09, 2008, 04:23:21 PM » |
|
Playing catchup with this topic:
XPSP2, ZA free, behind a router, and have not installed KB 951748 yet, thankfully.
Just skimmed through the DSL thread, haven't had time to get to the ZA forum.
Right now I am still trying to get my head around what I *thought* I recall in the MS advance notice bulletin that this KB 951748 update was labeled as "important" not "critical," in regards to what I am reading about this massive DNS security "problem" reported in the Heise article.
Will have more time tonight to check back to sort our my choices for a work around.
|
|
|
|
|
Logged
|
|
|
|
Corrine
The Mystical Rose
Administrator
Hero Member
Offline
Posts: 8716
"Stronger than the past, united in our goal."
|
|
« Reply #8 on: July 09, 2008, 07:50:30 PM » |
|
Ripley, if I had Windows XP and ZA, I would follow Winchester's advice.
|
|
|
|
|
Logged
|
, Take a walk through the "Security Garden" -- Where Everything is Coming up Roses! Remember - A day without laughter is a day wasted. May the wind sing to you and the sun rise in your heart. |
|
|
Corrine
The Mystical Rose
Administrator
Hero Member
Offline
Posts: 8716
"Stronger than the past, united in our goal."
|
|
« Reply #9 on: July 09, 2008, 10:27:39 PM » |
|
From Newsgroups: microsoft.public.windowsupdateCarl MSFT 7/9/2008 12:54 PM PST We (Microsoft) are aware of an issue that is affecting the ability of Zone Alarm customers to access the Internet after the installation of the MS08-037 (KB951748) Security Update released on July 9th. Both Microsoft and Zone Alarm are actively working on the issue. For further help in resolving the issue, we suggest you contact Zone Alarm customer service at 1-877-966-5221 (within North America), +1 415 633 4588 (outside the United States), or by faxing to +1 415 633 4589. The Zone Alarm website states that technical support is available for a fee by calling 877-365-ZONE (9663). If you have another means of accessing the Internet, the Zone Alarm website ( www.zonealarm.com) has some recommended workarounds. One of the temporary workarounds that is mentioned on the Zone Alarm website is to change the Zone Alarm Personal Firewall to a setting of “Medium” protection. The Zone Alarm site says that it does not recommend this option, as it may reduce your security level. Microsoft also does not recommend this workaround, but it may temporarily allow Internet access. |
|
|
|
|
Logged
|
, Take a walk through the "Security Garden" -- Where Everything is Coming up Roses! Remember - A day without laughter is a day wasted. May the wind sing to you and the sun rise in your heart. |
|
|
|
Ripley
|
|
« Reply #10 on: July 10, 2008, 01:18:04 AM » |
|
Having alittle more time to read through all this here, at broadbandreports (link above), and giving up over at ZA forums, who are swamped with multiple threads, it made more sense to me to install KB 951748 and make the reasonable temp workaround in ZA. Had I not been behind a router, I don't know if I'd make a choice to reduce the security level of my firewall however. As best I can understand this DNS issue, and the "coordinated" effort of those vendors, including MS to issue these patches, it seems that having the KB 951748 goes beyond "important." Was sooo appreciative that Winchester73 took the time to futz with the possible workarounds and report it. Better you than me around firewalls and troubleshooting connection issues. These are the type of "experiences" that get reported online that cause people to disregard or ignore certain OS security updates beyond the time of fixes or alternatives, and actually leave themselves in a more vulnerable position in the long run it seems. Once again Winchester73, thank you for the heads up...twas "hearing" violins playing hero cowboy music all day today  |
|
|
|
|
Logged
|
|
|
|
|
|
|
Ripley
|
|
« Reply #12 on: July 10, 2008, 01:38:45 AM » |
|
Since you are following the DSLR thread, you know that ZA has changed their press release ... from the last and worst option being to set the slider, to that now being option 1. Yes, saw that. You might end up with a job offer coming your way At this point, I think it is up to ZA to fix this issue. I think Microsoft has done what needs to be done regarding this security flaw. That's what my grey matter came up with as well. As I stated above, it makes more sense to make this MS update the priority, or get another firewall. I'll be watching Checkpoint's response. |
|
|
|
|
Logged
|
|
|
|
|
Ripley
|
|
« Reply #13 on: July 10, 2008, 02:49:04 AM » |
|
For those ZA people following, the Checkpoint/ZA press release page we are discussing is here As of the time of this post, there is a version update for the paid version: Recommended Actions -
Download and install latest versions here:
# ZoneAlarm Internet Security Suite
# Come back here for other product versions to be released soon - or follow the directions below. I am using a free version, so have no further info on whether it works. |
|
|
|
|
Logged
|
|
|
|
Eric the Red
ISO/IEC 27001:2005
Administrator
Hero Member
Offline
Posts: 1458
Would somebody please pass me a beer!
|
|
« Reply #14 on: July 10, 2008, 07:45:39 AM » |
|
Ripley,
Check back on that ZA page, it has been updated and now includes a solution for ZA Free.
|
|
|
|
|
Logged
|
"The time to start running is around about the "e" in "Hey, you!" "Proud member Since 2004 The information I provide is provided "AS IS" without warranty, and confers no rights.
|
|
|
|
