MS DNS patch snuffs net connection for ZoneAlarm users Microsoft released four patches - all rated important - as part of its regular Patch Tuesday update cycle, one of which left ZoneAlarm users locked out the internet. The most significant of the quartet fixes a flaw in Windows' implementations of the Domain Name System protocol (MS08-037.mspx). Multiple vendors are subject to …
The MS patch known as, KB951748, has screwed internet / mail access on one of my rigs. However, on an almost indentical machine, (AMD vs INTEL) everything works fine. Both have Free AVG and Zonelabs software up to date and running. Outlook reports a "No sockets" error and t'internet times out.
I did notice that ZoneAlarm did not ask me for permission for the AVG email scanner to access the big outdoors with the patch applied. But, quite normally, it did ask if Outlook could step outside.
Uninstalling KB951748 solves the problem on the knacked kit.
I'm left scratchin' me ol'bonce.
A temporary solution for anyone suffering from the same problem who doesn't want to uninstall the patch or switch off/uninstall Zonealarm:
Open ZA>>Firewall>>Main>>Internet Zone Security>>Slider bar is on high? Move it to medium.
So, you can get semi-protection with the patch in the interim. This was tried and tested on two XP PCs and an XP laptop.
Hope someone finds that helpful.
Alex
I'm sure people will enjoy taking the opportunity to chastise Microsoft on this occasion. I on the other hand point the finger firmly at ZoneAlarm and blame it for utilising questionable methods within its software. Funny how other software firewall vendors aren't feeling the pain.
And what sort of ridiculous suggestion is it to uninstall a security fix?!! Surely a responsible company would have suggested that the user uninstall their broken firewall, use Windows Firewall as a temporary solution, and then install an updated version of the third-party firewall when a fix is available. I'm sure people will criticise the suggestion of temporarily using Windows Firewall, truth is that it's there and as far as software firewalls go it's not a bad product.
*shakes head in disbelief* Telling users to uninstall a security fix... Sheesh.
I'll get my coat. It's the one with "Don't take coding shortcuts" printed on the back.
I've read the headlines about this bug fix and I know that it's not just a MS issue, but if the problem is simply a lack of socket number entropy then surely this is an indication of the crappiness of the underlying Socket layer / TCP stack rather than a fault in the DNS protocol itself.
I note that djbdns (for one example), gets round the problem by binding to specific (random) port numbers in its requests, and I understand that these recent patches are doing similar things.
However, they shouldn't NEED to. This is a flaw in the OS's TCP stack. the OS should not be generating easy-to-guess socket numbers. Windows is particularly terrible in this respect (or at least I know it used to be) because it just allocates successive ephemeral port numbers. How crap is that??? Answer - VERY VERY crap!
OpenBSD fixed this problem a loooooooong time ago by randomising the ephemeral port allocation. This protects ALL network-bound appications, not just DNS.
And if stuff like Zone Alarm is now falling over because of this change, well what does that say about the security of Zone Alarm (ie - it must be making assumptions about the traffic it is monitoring based on the allocated socket numbers - again - how crap???)
It's all just as well that so much effort is being put into stuff like the latest MP3 player skin or animated dog cartoons in Word! 'Cos THEY are really important and useful!
Came in to work to find the PC having auto updated would not connect to the net at all. Spent (wasted) some time figuring out it was Zone Alarm, wasted more time re-installing it (as it has a tendency to self destruct on its own from time to time) before then having to surf the net with NO firewall to find it was the firewall and the latest MS update at fault. Have rolled back then to a LESS secure system so at least I can have the firewall on. Zone Alarm's forum is full of this, they must be in meltdown at the moment. Fancy having to turn off your firewall so you can get on the sodding net to find out what's wrong!!
I'm still running ZoneAlarm 6.1.744 on the machine that works fine with the patch.
T'other kit has 7.0.462 and that's knackered after applying KB951748.
Both instances of ZoneAlarm would appear to be doing their work fine - as a quick drop by to Steve Gibson's "Shields Up" site demonstrates.
Both instances have the Internet / Trusted settings at max.
**NOTE: uninstalling and reinstalling ZoneAlarm used to require a removal tool from ZoneLabs. **Need to check this first. But I'm happy to revert the knacked machine back to version 6.0 and keep going.
I think you ought to check your facts before jumping onto the usual Vista-bashing bandwagon - the security bulletin states that Vista 32/64 and Server 2008 are not affected and therefore don't need patching.
So with regard to your witty, insightful comment:
1. Vista must be more secure, as it doesn't need the patch required by previous versions of Windows, and
2. The fact that they've released the patch for XP surely means they haven't dropped support, as they're STILL RELEASING PATCHES.
No wonder you wanted to remain anonymous. Tw@.
Paris, cos she could outsmart you.
Millions use zonealarm, but you know MS wont test this patch with it.... Killed my internet connection on one machine (which i fortunately knew was down to the patch and not the very "helpful" troubleshooting advice that my router was the problem, as i was also playing Buzz online on my PS3)
I don't want to take sides, but Microsoft has "yielded" to the complaining of 3rd parties for years (since NT days) about security practices. There are tight ways of doing things for security, which some of MS OS has tried to incorporate and push (probably badly) onto 3rd party producers. There are even examples of this in Vista where they caved because of griping from vendors. The fact is, if you allow 3rd parties to do things in a shady way, they get dependent on that and gripe about changing. Both sides are to blame, IMO.
I have to say that the conflicts like this ZoneAlarm thing are pretty rare, despite how complex software is these days.
I don't want everyone to have to rely on a single source for a firewall or a web browser.
I know I seem to have dodged several issues through not depending on Microsoft.
Interesting thing: the Windows tracert utility was working, and giving domain names for non-local machines which I don't expect to find in any cache.
Following an item published on Zonealarms site I extended it to fix the e-mail which didn't work either.
In Zonealarm click on Firewall and the Main tab, set the Internet Zone Security back to High.
Then click on Custom - scroll down one and the bottom entry for the High zone is "allow outgoing TCP ports:" That will normally have (no ports selected) after it.
Click on the box on the left; a box will appear underneath for you to enter the ports to be allowed; in the box type "80, 110, 443" without the quotes.
Ports 80 and 443 allow the browser to work and port 110 allows pop3 e-mail to work.
This way you've got the M$ patch which you really do want and you've got most of the ZA security which is more than you get without it.
To ekimdam [a.k.a. MadMike]: Get a life!
To Mike: XP security updates will be around until 2014.
To Tim: Boo hoo. Microsoft tests their security fixes. But every PC is different. Fix has no problem [it seems] with ZA 6.1 but is a problem with 7.0.
All: Better off sticking with ZA and not touching the update until either one of them comes out with a fix.
I am in the US and my Toshiba laptop with XP Pro, SP2 installed will not connect to the Internet - and I do not have Zone Alarm. This all happened after it installed the updates while I was away from my laptop. I am at work now and will see what I can do when I get home tonight. I was not a happy camper (American saying...) last night when I thought my new network setup from this past weekend broke down!
Now I just have to figure out how to fix this...
I saw it happen right in front of my eyes. Patches got applied, and on reboot, no internet. I could easily ensure that external internet access was available (via my router diags) and soon found out that ZoneAlarm was the problem. I uninstalled that and switched to Comodo, and all is well. BTW, I also found that the Windows Fire curtain (cannot really call it a Wall, can I?) was turned on -- I don't know whether by this update or something earlier. Anyway, I of course turned that off.
http://news.yahoo.com/s/afp/20080709/ts_alt_afp/usitinternetsoftwarecrime
"Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.
Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses."
ZoneAlarm's support drives me around the bend.
There is an issue with ZoneAlarm whereby if ad blocking and cookie control is set, any web applications on your local machine won't work. This has been going on for years and years and is a pain in the neck for developers.
Their "log a call" support recognises the issue, but won't acknowledge it in public as a "known issue", stating the developers will "fix it when they will fix it". Yeah right, years later still nothing has happened. I logged the issue two years ago and again a month ago.
I tried posting on their forums about this issue, and they DELETED the post, YES you heard me right. There was nothing nasty about the post other than the fact I said the bug had been going on for years.
There are lots of other posts on ZoneAlarms forums that seem to point to this issue as well....
Alex
"Has ZoneAlarm EVER saved you from anything?"
Why, yes it has actually - many moons ago when it was still a "desk band" it prevented a suspiciously named executable getting out from my system that no AV program I was able to get my hands on was able to find (I ran a BBS at the time, so had access to quite a few). The executable deleted itself as soon as it was refused access.
Not a single machine has passed through my hands without installing a copy since if it had no other firewall.
I installed Windows update this morning during shut down operation. Cold booted the machine, was able to access Internet without any problems.
I have been a Zone Alarm and Zone Alarm Pro user for several years and have never had any problems with the product.
Your Uncledudly
> "Thats why I switched to a MAC. Life is great on the internet again since I switched!"
Now Abel, while I respect your good intent ;) we all know that *real* Mac users don't use all-caps when referring to their machines. It's not an acronym. Silly Abel. :)
Paris probably knows the difference between MAC and Mac.
Viruses "proper" haven't been a problem since the dawn of the internet. "Worms" only bite people who run servers, "Trojans" only affect people who click on stupid email links. Therefor virus scanners are an unnecessary drain on your system, usually worse than actually having a virus.
Sitting behind a NAT router makes firewalls near useless, and the last good software firewall died out long ago. (i.e. one where you could actually lock down ports and stayed out of the application layer, and refrained from obnoxious warnings)
Lastly, just use a "safe" browser (Firefox), and stay away from shady sites (no, that *isn't* really a naked picture of the Olson twins dikeing it out), install the latest updates (except for SP3 for god sakes), and you are sorted!
Could not log in to google yesterday and MS outlook would not send or receive.
What a pain, didn't figure out it was Zone Alarm until this morning, because Hughesnet had a satellite down too. Maybe it was MS update too. I wish MS would test things before they throw them out there so everybody's computer crashes!
Had to remove the patch from a machine that DID NOT have zone alarm installed!!!
Anyway software firewalls are a really bad idea - they run on the machine so allow the hacker got to the machine, Far better and easier to use an external firewall (netgear etc) which stops them getting to your machine in the firstplace.
Also, most people screw them up opening this port and that port or allowing software to do it for them having no idea what they are doing so all they end up is a fiewall with loads of unnecessary holes.
Save your money and buy a hardware firewall.
The real problem is ZoneAlarm. It's such a terrible product. I always advise anyone using it to uninstall it. With everyone using hardware boxes (home "routers") with built-in firewalls + Microsoft's forced use of Windows Firewall, there's really no reason to run another firewall, especially Zone Alarm.
Has anyone heard of other issues with the MS patches? I use a Watchguard hardware firewall, and still had the same problem. We came in to work yesterday to no internet, but our email was working fine. Today we finally disabeled "Webblocker" a software addon for Watchguard and the internet works fine.
With eerily similar symptoms-- no browser access to web and diags claiming "your hardware is busted bro", while ifconfig (ok, ipconfig, the btard Win version), netstat, netsh, ping, ftp all look and work normally.
XP with ZL, Vista with MacAfee (not my machine that last, just got punted to me with "Internet doesn't work" message. I only use ZL suite/Win or Linux, Linux of course is unaffected by the unwashed mass hysteria).
There will be lots of money for PC fixers here, MS will never admit their failure to fully regression test a patch, and even if they wanted to send out a fix... BwaHahahahah you can't there from here w/o IE! People starving for Internet access wandering the woods looking for succor (for a price)! Next months horse board here I come!
The reason that the does not have as many virii as the PC is not because it is immune. The reason is simply that relative to the number of PC users the mac is not used by anyone so why write a virus for it. How many businesses run mac servers? how many home users have macs?
I will admit that Windoz is rubbish, pretty much anything written with MS compilers is but if everyone had macs then there wouldnt be less virii just less people with computers. PCs are dirt cheap and plentiful and thats the problem enough malcontents get access and you get malware.
So leave the mac is special out, its only special because relative to PCs not owns one
Quite obvious MS in trying to knock the Zone Alarm folks. Their defender etc. is already available and they know most folks will simply stay with it once they remove ZA. Problem is ZA is VASTLY superior. Anyone who think it is unnecessary hasn't truly been around the block. Everything else is inferior, although I am trying Avast on one machine.
FU MS.
Ladies and Gents
Here in the SE USA I too was bitten by the bug.
Symptoms:
Desktop PC through wireless router to DOCSIS modem allowed me full access to email but very short (2 to 3 mins only) access to the WWW.
This PC had Zone Alarm Free edition installed.
Wireless Laptop had no issues at all but did not have Zone Alarm installed nor do I think that updates have been allowed for a couple of weeks.
I de-installed Zone Alarm and still had the same problem,
I de-installed KB951748 and all is back to normal.
I am going to sit back for a spell and wait until the collective suppliers of (Patches/software et al:) fix the issue at which time I will re-install Zone Alarm. I have been very happy with ZA for a couple of years now so indeed want it back on my system and soon.
Thanks all for the heads up.
Incidently, could not find any instance of KB951748 having been installed when I opened Control panel Add/Remove even though "Show Updates" was checked. I had to do a search for the patch then manually de-install it.
G. Earl// Atlanta Georgia USA
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
