back to article MS DNS patch snuffs net connection for ZoneAlarm users

Microsoft released four patches - all rated important - as part of its regular Patch Tuesday update cycle, one of which left ZoneAlarm users locked out the internet. The most significant of the quartet fixes a flaw in Windows' implementations of the Domain Name System protocol (MS08-037.mspx). Multiple vendors are subject to …


This topic is closed for new posts.
  1. Anonymous Coward

    don't think it's just Zone Alarm

    as i'm borked too unless I use IP addresses to connect - Using Windows Firewall and Safeconnect.

    It's a bitch :(

  2. Alastair Smith

    Works on my machine...

    ...which is Windows XP SP 2 with ZoneAlarm Internet Security Suite (the full antivirus, firewall, etc. shebang).

    Thanks for the heads-up, though; I'll know what to do if things start going arse-over-tit.

  3. William Morton

    same for me

    I uninstalled zonealarm, turned windows firewall back on and ran seconfig to bolt down the security.

    seconfig seems a useful tool and automates the lockdown I normally do manually get it from

  4. G Fan


    I had this happen last night after installing the patch. I found that turning "internet zone" security down to medium fixed the problem, so no need to turn off zonealarm completely.

  5. Scott Broukell

    Curious behavoir

    The MS patch known as, KB951748, has screwed internet / mail access on one of my rigs. However, on an almost indentical machine, (AMD vs INTEL) everything works fine. Both have Free AVG and Zonelabs software up to date and running. Outlook reports a "No sockets" error and t'internet times out.

    I did notice that ZoneAlarm did not ask me for permission for the AVG email scanner to access the big outdoors with the patch applied. But, quite normally, it did ask if Outlook could step outside.

    Uninstalling KB951748 solves the problem on the knacked kit.

    I'm left scratchin' me ol'bonce.

  6. Alex

    This problem stole 2.5 hours of my life

    A temporary solution for anyone suffering from the same problem who doesn't want to uninstall the patch or switch off/uninstall Zonealarm:

    Open ZA>>Firewall>>Main>>Internet Zone Security>>Slider bar is on high? Move it to medium.

    So, you can get semi-protection with the patch in the interim. This was tried and tested on two XP PCs and an XP laptop.

    Hope someone finds that helpful.


  7. Anonymous Coward
    Thumb Down

    Uninstall the patch?

    ZoneAlarm recommends that users uninstall the problematic patch, as a workaround, pending the resolution of the problem.

    So the alleged security firm is asking us to uninstall the security patch rather than uninstalling their scareware crap? What a surprise.

  8. Craig

    Passing the buck

    I'm sure people will enjoy taking the opportunity to chastise Microsoft on this occasion. I on the other hand point the finger firmly at ZoneAlarm and blame it for utilising questionable methods within its software. Funny how other software firewall vendors aren't feeling the pain.

    And what sort of ridiculous suggestion is it to uninstall a security fix?!! Surely a responsible company would have suggested that the user uninstall their broken firewall, use Windows Firewall as a temporary solution, and then install an updated version of the third-party firewall when a fix is available. I'm sure people will criticise the suggestion of temporarily using Windows Firewall, truth is that it's there and as far as software firewalls go it's not a bad product.

    *shakes head in disbelief* Telling users to uninstall a security fix... Sheesh.

    I'll get my coat. It's the one with "Don't take coding shortcuts" printed on the back.

  9. Rich Silver badge

    Socket entropy and cruddy TCP stacks

    I've read the headlines about this bug fix and I know that it's not just a MS issue, but if the problem is simply a lack of socket number entropy then surely this is an indication of the crappiness of the underlying Socket layer / TCP stack rather than a fault in the DNS protocol itself.

    I note that djbdns (for one example), gets round the problem by binding to specific (random) port numbers in its requests, and I understand that these recent patches are doing similar things.

    However, they shouldn't NEED to. This is a flaw in the OS's TCP stack. the OS should not be generating easy-to-guess socket numbers. Windows is particularly terrible in this respect (or at least I know it used to be) because it just allocates successive ephemeral port numbers. How crap is that??? Answer - VERY VERY crap!

    OpenBSD fixed this problem a loooooooong time ago by randomising the ephemeral port allocation. This protects ALL network-bound appications, not just DNS.

    And if stuff like Zone Alarm is now falling over because of this change, well what does that say about the security of Zone Alarm (ie - it must be making assumptions about the traffic it is monitoring based on the allocated socket numbers - again - how crap???)

    It's all just as well that so much effort is being put into stuff like the latest MP3 player skin or animated dog cartoons in Word! 'Cos THEY are really important and useful!

  10. slack

    So, the patch works

    Technically having no net connection will protect users from the DNS problem, but a cynical person might be tempted to think that MS was trying to get people away from using ZA.

  11. Anonymous Coward

    Connection Nobbled

    Came in to work to find the PC having auto updated would not connect to the net at all. Spent (wasted) some time figuring out it was Zone Alarm, wasted more time re-installing it (as it has a tendency to self destruct on its own from time to time) before then having to surf the net with NO firewall to find it was the firewall and the latest MS update at fault. Have rolled back then to a LESS secure system so at least I can have the firewall on. Zone Alarm's forum is full of this, they must be in meltdown at the moment. Fancy having to turn off your firewall so you can get on the sodding net to find out what's wrong!!

  12. Smallbrainfield
    Thumb Up

    This caught me out last night.

    I figured it was the patch causing the problem, but didn't realise it was affecting Zone Alarm. Thanks for the heads up.

  13. Anonymous Coward
    Gates Horns

    Vista vulnerable???

    I thought Vista was written with security as it's prime concern....

    Or was that just an excuse for them to drop support for XP and force everyone to shell out for the new OS?

  14. Scott Broukell

    Zone Alarm version ?

    I'm still running ZoneAlarm 6.1.744 on the machine that works fine with the patch.

    T'other kit has 7.0.462 and that's knackered after applying KB951748.

    Both instances of ZoneAlarm would appear to be doing their work fine - as a quick drop by to Steve Gibson's "Shields Up" site demonstrates.

    Both instances have the Internet / Trusted settings at max.

    **NOTE: uninstalling and reinstalling ZoneAlarm used to require a removal tool from ZoneLabs. **Need to check this first. But I'm happy to revert the knacked machine back to version 6.0 and keep going.

  15. Chris Miller

    Vista is not affected by this issue

    Based on my SP1 machines and comments on the ZA forums. I think I'll hold off from applying the patch to my XP/SP3 boxes, though :)

  16. Anonymous Coward
    Anonymous Coward

    I can't get Maplin today.

    Anyone else?

  17. Matt

    Easy way to check

    Just get ZoneAlarm to notify on every block it does.... if it's blocking any and all traffic then you need to either

    a) lower security to medium. or

    b) allow each app to be a trusted server and also allow every single IP it blocks.

    took 10 mins to figure out this morning.

  18. Mike
    Paris Hilton

    @ Vista vulnerable???

    I think you ought to check your facts before jumping onto the usual Vista-bashing bandwagon - the security bulletin states that Vista 32/64 and Server 2008 are not affected and therefore don't need patching.

    So with regard to your witty, insightful comment:

    1. Vista must be more secure, as it doesn't need the patch required by previous versions of Windows, and

    2. The fact that they've released the patch for XP surely means they haven't dropped support, as they're STILL RELEASING PATCHES.

    No wonder you wanted to remain anonymous. Tw@.

    Paris, cos she could outsmart you.

  19. Tim
    Gates Horns

    Seems Microsoft wont test with typical setups!

    Millions use zonealarm, but you know MS wont test this patch with it.... Killed my internet connection on one machine (which i fortunately knew was down to the patch and not the very "helpful" troubleshooting advice that my router was the problem, as i was also playing Buzz online on my PS3)

  20. Anonymous Coward

    Ref moving slider down

    Ref the suggestions about moving the slider down from max to medium, this didn't work for me (nor moving the slider right down!), the only cure was switching off ZA completely or rolling back the MS patch.

  21. De_Bunk
    Thumb Up

    Re: Zonealarm & Vista...

    No problems so far on Vista SP1 and free Zonealarm on high security settings.

  22. Anonymous Coward
    Anonymous Coward

    Zone Alarm problems

    Why don't you use an OS that doesn't require you to run stuff like Zone Alarm? Wouldn't that be the common sense thing to do?

    Just thought I would point out the bleedin' obvious :-)

  23. C. Fuhrman
    Gates Halo

    @Craig questionable security practices

    I don't want to take sides, but Microsoft has "yielded" to the complaining of 3rd parties for years (since NT days) about security practices. There are tight ways of doing things for security, which some of MS OS has tried to incorporate and push (probably badly) onto 3rd party producers. There are even examples of this in Vista where they caved because of griping from vendors. The fact is, if you allow 3rd parties to do things in a shady way, they get dependent on that and gripe about changing. Both sides are to blame, IMO.

    I have to say that the conflicts like this ZoneAlarm thing are pretty rare, despite how complex software is these days.

  24. ekimdam

    @ all you Zone Alarmists

    "I blame Microsoft blah, blah, blah...."

    Software 'firewalls' are a joke. Zone Alarmist is probably the worst of them...

    get real, get rid of it, & get over it

  25. Andy Livingstone


    If Vista is not getting KB951748, it seems unlikely to get the problem.

  26. Dave Bell


    I don't want everyone to have to rely on a single source for a firewall or a web browser.

    I know I seem to have dodged several issues through not depending on Microsoft.

    Interesting thing: the Windows tracert utility was working, and giving domain names for non-local machines which I don't expect to find in any cache.

  27. De_Bunk
    Paris Hilton


    My bad...I'd just woken up.

  28. Anonymous Coward
    Anonymous Coward

    Another workaraound

    Following an item published on Zonealarms site I extended it to fix the e-mail which didn't work either.

    In Zonealarm click on Firewall and the Main tab, set the Internet Zone Security back to High.

    Then click on Custom - scroll down one and the bottom entry for the High zone is "allow outgoing TCP ports:" That will normally have (no ports selected) after it.

    Click on the box on the left; a box will appear underneath for you to enter the ports to be allowed; in the box type "80, 110, 443" without the quotes.

    Ports 80 and 443 allow the browser to work and port 110 allows pop3 e-mail to work.

    This way you've got the M$ patch which you really do want and you've got most of the ZA security which is more than you get without it.

  29. Unkle Al
    Thumb Down

    Me too

    Got caught by this on two W2K and one XP machine last night. What a pain, time for ZA to go!

  30. Gis Bun

    Oh well....

    To ekimdam [a.k.a. MadMike]: Get a life!

    To Mike: XP security updates will be around until 2014.

    To Tim: Boo hoo. Microsoft tests their security fixes. But every PC is different. Fix has no problem [it seems] with ZA 6.1 but is a problem with 7.0.

    All: Better off sticking with ZA and not touching the update until either one of them comes out with a fix.

  31. Doug Glass


    Comodo Firewall Pro free is unaffected on my two machines that run it.

  32. Doug Glass

    Port 25

    RE: Another workaraound

    By Mike Collins

    "Now why didn't I think of that?"

    You might want to add port 25 too.

  33. Bob

    Affected W/O Zone Alarm

    I am in the US and my Toshiba laptop with XP Pro, SP2 installed will not connect to the Internet - and I do not have Zone Alarm. This all happened after it installed the updates while I was away from my laptop. I am at work now and will see what I can do when I get home tonight. I was not a happy camper (American saying...) last night when I thought my new network setup from this past weekend broke down!

    Now I just have to figure out how to fix this...

  34. Karthik

    Had this last night...

    I saw it happen right in front of my eyes. Patches got applied, and on reboot, no internet. I could easily ensure that external internet access was available (via my router diags) and soon found out that ZoneAlarm was the problem. I uninstalled that and switched to Comodo, and all is well. BTW, I also found that the Windows Fire curtain (cannot really call it a Wall, can I?) was turned on -- I don't know whether by this update or something earlier. Anyway, I of course turned that off.

  35. C. Fuhrman

    Maybe this is why there was not enough "testing" of the patch...

    "Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.

    Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses."

  36. Peter Mc Aulay


    An automatic update that takes a Windows box off the internet, bliss.

    That said, I won't touch ZoneAlarm with a 10' pole since it broke my Win98 tcp/ip stack so badly a full OS reinstall was necessary, way back when.

  37. Funky Dennis
    Thumb Up

    Re: all you Zone Alarmists

    "Software 'firewalls' are a joke. Zone Alarmist is probably the worst of them...

    get real, get rid of it, & get over it"

    Amen brother!

    @Gis Bun

    Has ZoneAlarm EVER saved you from anything?

    Security theatre, anybody?

  38. Alex
    Thumb Down


    ZoneAlarm's support drives me around the bend.

    There is an issue with ZoneAlarm whereby if ad blocking and cookie control is set, any web applications on your local machine won't work. This has been going on for years and years and is a pain in the neck for developers.

    Their "log a call" support recognises the issue, but won't acknowledge it in public as a "known issue", stating the developers will "fix it when they will fix it". Yeah right, years later still nothing has happened. I logged the issue two years ago and again a month ago.

    I tried posting on their forums about this issue, and they DELETED the post, YES you heard me right. There was nothing nasty about the post other than the fact I said the bug had been going on for years.

    There are lots of other posts on ZoneAlarms forums that seem to point to this issue as well....


  39. Anonymous Coward
    Anonymous Coward

    RE Another Workaround

    Thanks to Doug Glass above - Include port 25 which is used for sending email.

    Silly me didn't test it fully - I should apply to M$ for a job.

    So include ports 25, 80, 110, 443 in the Allow outgoing TCP ports list.

  40. Abel

    LOL---- Again?

    Thats why I switched to a MAC. Life is great on the internet again since I switched!

  41. john ambrose

    MY VISTA DID NOT INSTALL IT machine refused it somehow......everything works ok.....or was this only for XP.........I have Vista Home Premium...well, no fguss here, life as we know it goes on....kerplunk...Ohio is safe so far

  42. Anonymous Coward
    Thumb Up

    FAO: Flunky Dennis

    "Has ZoneAlarm EVER saved you from anything?"

    Why, yes it has actually - many moons ago when it was still a "desk band" it prevented a suspiciously named executable getting out from my system that no AV program I was able to get my hands on was able to find (I ran a BBS at the time, so had access to quite a few). The executable deleted itself as soon as it was refused access.

    Not a single machine has passed through my hands without installing a copy since if it had no other firewall.

  43. Smallbrainfield

    I wonder how many poor sods downloaded this update last night

    and now have no internet access? You can't find out about the problem unless you can visit a website and a fair few folk probably don't have a clue what's happened to them. I think I'm going to download Sunbelt or Comodo tonight.

  44. Uncledudly
    Thumb Up

    Tuesday update cycle, one of which left ZoneAlarm users locked out the internet.

    I installed Windows update this morning during shut down operation. Cold booted the machine, was able to access Internet without any problems.

    I have been a Zone Alarm and Zone Alarm Pro user for several years and have never had any problems with the product.

    Your Uncledudly

  45. Anonymous Coward
    Paris Hilton

    Silly wabbit, MACs are for (sumthin'-or-other)

    > "Thats why I switched to a MAC. Life is great on the internet again since I switched!"

    Now Abel, while I respect your good intent ;) we all know that *real* Mac users don't use all-caps when referring to their machines. It's not an acronym. Silly Abel. :)

    Paris probably knows the difference between MAC and Mac.

  46. Anonymous Coward
    Paris Hilton

    All popular security products are worse than the problems they suposedly prevent

    Viruses "proper" haven't been a problem since the dawn of the internet. "Worms" only bite people who run servers, "Trojans" only affect people who click on stupid email links. Therefor virus scanners are an unnecessary drain on your system, usually worse than actually having a virus.

    Sitting behind a NAT router makes firewalls near useless, and the last good software firewall died out long ago. (i.e. one where you could actually lock down ports and stayed out of the application layer, and refrained from obnoxious warnings)

    Lastly, just use a "safe" browser (Firefox), and stay away from shady sites (no, that *isn't* really a naked picture of the Olson twins dikeing it out), install the latest updates (except for SP3 for god sakes), and you are sorted!

  47. Anonymous Coward
    Anonymous Coward

    Also affected google log in and my mail

    Could not log in to google yesterday and MS outlook would not send or receive.

    What a pain, didn't figure out it was Zone Alarm until this morning, because Hughesnet had a satellite down too. Maybe it was MS update too. I wish MS would test things before they throw them out there so everybody's computer crashes!

  48. Paul Ashbrook

    Ha ha ha

    Best laugh I've had so far this month!!!

  49. Walter McCann
    Black Helicopters

    Not Just zonealarm

    Had to remove the patch from a machine that DID NOT have zone alarm installed!!!

    Anyway software firewalls are a really bad idea - they run on the machine so allow the hacker got to the machine, Far better and easier to use an external firewall (netgear etc) which stops them getting to your machine in the firstplace.

    Also, most people screw them up opening this port and that port or allowing software to do it for them having no idea what they are doing so all they end up is a fiewall with loads of unnecessary holes.

    Save your money and buy a hardware firewall.

  50. Anonymous Coward
    Anonymous Coward


    The real problem is ZoneAlarm. It's such a terrible product. I always advise anyone using it to uninstall it. With everyone using hardware boxes (home "routers") with built-in firewalls + Microsoft's forced use of Windows Firewall, there's really no reason to run another firewall, especially Zone Alarm.

  51. Harry Stottle

    Zone Alarm update is now available

    and I've installed it (and then the Windoze update) on 7 machines so far and it works

  52. Joe

    Other software issues

    Has anyone heard of other issues with the MS patches? I use a Watchguard hardware firewall, and still had the same problem. We came in to work yesterday to no internet, but our email was working fine. Today we finally disabeled "Webblocker" a software addon for Watchguard and the internet works fine.

  53. Anonymous Coward

    XP and Vista titsup

    With eerily similar symptoms-- no browser access to web and diags claiming "your hardware is busted bro", while ifconfig (ok, ipconfig, the btard Win version), netstat, netsh, ping, ftp all look and work normally.

    XP with ZL, Vista with MacAfee (not my machine that last, just got punted to me with "Internet doesn't work" message. I only use ZL suite/Win or Linux, Linux of course is unaffected by the unwashed mass hysteria).

    There will be lots of money for PC fixers here, MS will never admit their failure to fully regression test a patch, and even if they wanted to send out a fix... BwaHahahahah you can't there from here w/o IE! People starving for Internet access wandering the woods looking for succor (for a price)! Next months horse board here I come!

  54. William Morton

    to all those "I have a mac im so cleaver"

    The reason that the does not have as many virii as the PC is not because it is immune. The reason is simply that relative to the number of PC users the mac is not used by anyone so why write a virus for it. How many businesses run mac servers? how many home users have macs?

    I will admit that Windoz is rubbish, pretty much anything written with MS compilers is but if everyone had macs then there wouldnt be less virii just less people with computers. PCs are dirt cheap and plentiful and thats the problem enough malcontents get access and you get malware.

    So leave the mac is special out, its only special because relative to PCs not owns one

  55. Anonymous Coward
    Anonymous Coward

    DesktopBSD is free...

    and people are still paying for Microsoft.


  56. Anonymous Coward
    Gates Horns

    MS to BLAME!!!

    Quite obvious MS in trying to knock the Zone Alarm folks. Their defender etc. is already available and they know most folks will simply stay with it once they remove ZA. Problem is ZA is VASTLY superior. Anyone who think it is unnecessary hasn't truly been around the block. Everything else is inferior, although I am trying Avast on one machine.

    FU MS.

  57. James Summerson
    Thumb Up

    Patch d/l'd

    Patch zapSetup_70_483_000_en.exe downloaded and all's well in the Zone Alarm world!

  58. Robert Hulley


    Hit my Windows machines too. Good thing I also run a Linux desktop. I could establish what the problem was and fix it fast. But if I had not had net access via Linux, it could have taken ages.

    Something to do with eggs and baskets.......

    Bob H

  59. Eric Earl

    Partial resolution

    Ladies and Gents

    Here in the SE USA I too was bitten by the bug.


    Desktop PC through wireless router to DOCSIS modem allowed me full access to email but very short (2 to 3 mins only) access to the WWW.

    This PC had Zone Alarm Free edition installed.

    Wireless Laptop had no issues at all but did not have Zone Alarm installed nor do I think that updates have been allowed for a couple of weeks.

    I de-installed Zone Alarm and still had the same problem,

    I de-installed KB951748 and all is back to normal.

    I am going to sit back for a spell and wait until the collective suppliers of (Patches/software et al:) fix the issue at which time I will re-install Zone Alarm. I have been very happy with ZA for a couple of years now so indeed want it back on my system and soon.

    Thanks all for the heads up.

    Incidently, could not find any instance of KB951748 having been installed when I opened Control panel Add/Remove even though "Show Updates" was checked. I had to do a search for the patch then manually de-install it.

    G. Earl// Atlanta Georgia USA

This topic is closed for new posts.

Other stories you might like