Zone Labs Security Advisory Severity: Low

Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarm


Local escalation of privileges

Remotely exploitable:

Affected software:
ZoneAlarm and its variations (6.1.744.000 and below)
Integrity (specific versions affected not yet determined)

Unaffected software:
ZoneAlarm and its variations (6.1.744.001 and above)

A local escalation of privileges issue in ZoneAlarm products does exist.

The TrueVector service (VSMON.exe), which runs under the local SYSTEM account, loads several DLLs (Dynamically Linked Libraries) as part of its startup process - which by default happens automatically when a user starts Windows. In some cases, DLLs may not be present in a given installation but will be searched for anyway. If a DLL matching one of those names appears in the set of directories searched, it may be loaded with the same privileges as the TrueVector service (SYSTEM level account). Internal testing of the issue is still ongoing, and additional symptoms may be undiscovered at this stage.
How an attacker may exploit this:
An attacker who succeeds placing a malicious DLL in a folder, which appears in the PATH before the ZoneAlarm folder, might run the malicious DLL under the SYSTEM local account privileges. Any software program that runs with SYSTEM privileges and dynamically loads DLLs from the PATH could be subjected to a similar issue.

Mitigating factors:
An attacker must first place, or convince the user to place, a malicious DLL in a folder that appears in the path before the ZoneAlarm folder. In order to accomplish this, the machine would already be compromised through another hacking method, either Trojan-like malware or through social engineering.

Patch Release:
This issue has been addressed in ZoneAlarm version 6.1.744.001, which was released to the public on March 27, 2006.

We encourage security researchers and users to report security related issues to

Contact: Zone Labs customers who are concerned about information contained in this advisory or have additional technical questions may reach our Technical Support team at: . To report security issues with Zone Labs products contact .

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Copyright: ©2006 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.

Any reproduction of this alert other than as an unmodified copy of this file requires authorization from Zone Labs. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Zone Labs LLC.