I had this happen last night after installing the patch. I found that turning "internet zone" security down to medium fixed the problem, so no need to turn off zonealarm completely.
By Scott BroukellPosted Wednesday 9th July 2008 10:33 GMT
The MS patch known as, KB951748, has screwed internet / mail access on one of my rigs. However, on an almost indentical machine, (AMD vs INTEL) everything works fine. Both have Free AVG and Zonelabs software up to date and running. Outlook reports a "No sockets" error and t'internet times out.
I did notice that ZoneAlarm did not ask me for permission for the AVG email scanner to access the big outdoors with the patch applied. But, quite normally, it did ask if Outlook could step outside.
Uninstalling KB951748 solves the problem on the knacked kit.
I've read the headlines about this bug fix and I know that it's not just a MS issue, but if the problem is simply a lack of socket number entropy then surely this is an indication of the crappiness of the underlying Socket layer / TCP stack rather than a fault in the DNS protocol itself.
I note that djbdns (for one example), gets round the problem by binding to specific (random) port numbers in its requests, and I understand that these recent patches are doing similar things.
However, they shouldn't NEED to. This is a flaw in the OS's TCP stack. the OS should not be generating easy-to-guess socket numbers. Windows is particularly terrible in this respect (or at least I know it used to be) because it just allocates successive ephemeral port numbers. How crap is that??? Answer - VERY VERY crap!
OpenBSD fixed this problem a loooooooong time ago by randomising the ephemeral port allocation. This protects ALL network-bound appications, not just DNS.
And if stuff like Zone Alarm is now falling over because of this change, well what does that say about the security of Zone Alarm (ie - it must be making assumptions about the traffic it is monitoring based on the allocated socket numbers - again - how crap???)
It's all just as well that so much effort is being put into stuff like the latest MP3 player skin or animated dog cartoons in Word! 'Cos THEY are really important and useful!
I'm sure people will enjoy taking the opportunity to chastise Microsoft on this occasion. I on the other hand point the finger firmly at ZoneAlarm and blame it for utilising questionable methods within its software. Funny how other software firewall vendors aren't feeling the pain.
And what sort of ridiculous suggestion is it to uninstall a security fix?!! Surely a responsible company would have suggested that the user uninstall their broken firewall, use Windows Firewall as a temporary solution, and then install an updated version of the third-party firewall when a fix is available. I'm sure people will criticise the suggestion of temporarily using Windows Firewall, truth is that it's there and as far as software firewalls go it's not a bad product.
*shakes head in disbelief* Telling users to uninstall a security fix... Sheesh.
I'll get my coat. It's the one with "Don't take coding shortcuts" printed on the back.
Technically having no net connection will protect users from the DNS problem, but a cynical person might be tempted to think that MS was trying to get people away from using ZA.
By Anonymous CowardPosted Wednesday 9th July 2008 11:04 GMT
Came in to work to find the PC having auto updated would not connect to the net at all. Spent (wasted) some time figuring out it was Zone Alarm, wasted more time re-installing it (as it has a tendency to self destruct on its own from time to time) before then having to surf the net with NO firewall to find it was the firewall and the latest MS update at fault. Have rolled back then to a LESS secure system so at least I can have the firewall on. Zone Alarm's forum is full of this, they must be in meltdown at the moment. Fancy having to turn off your firewall so you can get on the sodding net to find out what's wrong!!
By Scott BroukellPosted Wednesday 9th July 2008 11:36 GMT
I'm still running ZoneAlarm 6.1.744 on the machine that works fine with the patch.
T'other kit has 7.0.462 and that's knackered after applying KB951748.
Both instances of ZoneAlarm would appear to be doing their work fine - as a quick drop by to Steve Gibson's "Shields Up" site demonstrates.
Both instances have the Internet / Trusted settings at max.
**NOTE: uninstalling and reinstalling ZoneAlarm used to require a removal tool from ZoneLabs. **Need to check this first. But I'm happy to revert the knacked machine back to version 6.0 and keep going.
I think you ought to check your facts before jumping onto the usual Vista-bashing bandwagon - the security bulletin states that Vista 32/64 and Server 2008 are not affected and therefore don't need patching.
So with regard to your witty, insightful comment:
1. Vista must be more secure, as it doesn't need the patch required by previous versions of Windows, and
2. The fact that they've released the patch for XP surely means they haven't dropped support, as they're STILL RELEASING PATCHES.
Millions use zonealarm, but you know MS wont test this patch with it.... Killed my internet connection on one machine (which i fortunately knew was down to the patch and not the very "helpful" troubleshooting advice that my router was the problem, as i was also playing Buzz online on my PS3)
By Anonymous CowardPosted Wednesday 9th July 2008 12:44 GMT
Ref the suggestions about moving the slider down from max to medium, this didn't work for me (nor moving the slider right down!), the only cure was switching off ZA completely or rolling back the MS patch.
By C. FuhrmanPosted Wednesday 9th July 2008 13:44 GMT
I don't want to take sides, but Microsoft has "yielded" to the complaining of 3rd parties for years (since NT days) about security practices. There are tight ways of doing things for security, which some of MS OS has tried to incorporate and push (probably badly) onto 3rd party producers. There are even examples of this in Vista where they caved because of griping from vendors. The fact is, if you allow 3rd parties to do things in a shady way, they get dependent on that and gripe about changing. Both sides are to blame, IMO.
I have to say that the conflicts like this ZoneAlarm thing are pretty rare, despite how complex software is these days.
By Mike CollinsPosted Wednesday 9th July 2008 14:17 GMT
Following an item published on Zonealarms site I extended it to fix the e-mail which didn't work either.
In Zonealarm click on Firewall and the Main tab, set the Internet Zone Security back to High.
Then click on Custom - scroll down one and the bottom entry for the High zone is "allow outgoing TCP ports:" That will normally have (no ports selected) after it.
Click on the box on the left; a box will appear underneath for you to enter the ports to be allowed; in the box type "80, 110, 443" without the quotes.
Ports 80 and 443 allow the browser to work and port 110 allows pop3 e-mail to work.
This way you've got the M$ patch which you really do want and you've got most of the ZA security which is more than you get without it.
I am in the US and my Toshiba laptop with XP Pro, SP2 installed will not connect to the Internet - and I do not have Zone Alarm. This all happened after it installed the updates while I was away from my laptop. I am at work now and will see what I can do when I get home tonight. I was not a happy camper (American saying...) last night when I thought my new network setup from this past weekend broke down!
By KarthikPosted Wednesday 9th July 2008 15:32 GMT
I saw it happen right in front of my eyes. Patches got applied, and on reboot, no internet. I could easily ensure that external internet access was available (via my router diags) and soon found out that ZoneAlarm was the problem. I uninstalled that and switched to Comodo, and all is well. BTW, I also found that the Windows Fire curtain (cannot really call it a Wall, can I?) was turned on -- I don't know whether by this update or something earlier. Anyway, I of course turned that off.
Maybe this is why there was not enough "testing" of the patch... #
By C. FuhrmanPosted Wednesday 9th July 2008 16:18 GMT
"Computer industry heavyweights are hustling to fix a flaw in the foundation of the Internet that would let hackers control traffic on the World Wide Web.
Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses."
There is an issue with ZoneAlarm whereby if ad blocking and cookie control is set, any web applications on your local machine won't work. This has been going on for years and years and is a pain in the neck for developers.
Their "log a call" support recognises the issue, but won't acknowledge it in public as a "known issue", stating the developers will "fix it when they will fix it". Yeah right, years later still nothing has happened. I logged the issue two years ago and again a month ago.
I tried posting on their forums about this issue, and they DELETED the post, YES you heard me right. There was nothing nasty about the post other than the fact I said the bug had been going on for years.
There are lots of other posts on ZoneAlarms forums that seem to point to this issue as well....
By john ambrosePosted Wednesday 9th July 2008 18:09 GMT
......my machine refused it somehow......everything works ok.....or was this only for XP.........I have Vista Home Premium...well, no fguss here, life as we know it goes on....kerplunk...Ohio is safe so far
By Anonymous CowardPosted Wednesday 9th July 2008 19:15 GMT
"Has ZoneAlarm EVER saved you from anything?"
Why, yes it has actually - many moons ago when it was still a "desk band" it prevented a suspiciously named executable getting out from my system that no AV program I was able to get my hands on was able to find (I ran a BBS at the time, so had access to quite a few). The executable deleted itself as soon as it was refused access.
Not a single machine has passed through my hands without installing a copy since if it had no other firewall.
I wonder how many poor sods downloaded this update last night #
By SmallbrainfieldPosted Wednesday 9th July 2008 20:32 GMT
and now have no internet access? You can't find out about the problem unless you can visit a website and a fair few folk probably don't have a clue what's happened to them. I think I'm going to download Sunbelt or Comodo tonight.
Tuesday update cycle, one of which left ZoneAlarm users locked out the internet. #
By UncledudlyPosted Wednesday 9th July 2008 20:37 GMT
I installed Windows update this morning during shut down operation. Cold booted the machine, was able to access Internet without any problems.
I have been a Zone Alarm and Zone Alarm Pro user for several years and have never had any problems with the product.
By Anonymous CowardPosted Wednesday 9th July 2008 21:23 GMT
> "Thats why I switched to a MAC. Life is great on the internet again since I switched!"
Now Abel, while I respect your good intent ;) we all know that *real* Mac users don't use all-caps when referring to their machines. It's not an acronym. Silly Abel. :)
Paris probably knows the difference between MAC and Mac.
All popular security products are worse than the problems they suposedly prevent #
By Brent GardnerPosted Thursday 10th July 2008 08:45 GMT
Viruses "proper" haven't been a problem since the dawn of the internet. "Worms" only bite people who run servers, "Trojans" only affect people who click on stupid email links. Therefor virus scanners are an unnecessary drain on your system, usually worse than actually having a virus.
Sitting behind a NAT router makes firewalls near useless, and the last good software firewall died out long ago. (i.e. one where you could actually lock down ports and stayed out of the application layer, and refrained from obnoxious warnings)
Lastly, just use a "safe" browser (Firefox), and stay away from shady sites (no, that *isn't* really a naked picture of the Olson twins dikeing it out), install the latest updates (except for SP3 for god sakes), and you are sorted!
By Anonymous CowardPosted Thursday 10th July 2008 11:01 GMT
Could not log in to google yesterday and MS outlook would not send or receive.
What a pain, didn't figure out it was Zone Alarm until this morning, because Hughesnet had a satellite down too. Maybe it was MS update too. I wish MS would test things before they throw them out there so everybody's computer crashes!
By Walter McCannPosted Thursday 10th July 2008 14:19 GMT
Had to remove the patch from a machine that DID NOT have zone alarm installed!!!
Anyway software firewalls are a really bad idea - they run on the machine so allow the hacker got to the machine, Far better and easier to use an external firewall (netgear etc) which stops them getting to your machine in the firstplace.
Also, most people screw them up opening this port and that port or allowing software to do it for them having no idea what they are doing so all they end up is a fiewall with loads of unnecessary holes.
By Anonymous CowardPosted Thursday 10th July 2008 15:17 GMT
The real problem is ZoneAlarm. It's such a terrible product. I always advise anyone using it to uninstall it. With everyone using hardware boxes (home "routers") with built-in firewalls + Microsoft's forced use of Windows Firewall, there's really no reason to run another firewall, especially Zone Alarm.
Has anyone heard of other issues with the MS patches? I use a Watchguard hardware firewall, and still had the same problem. We came in to work yesterday to no internet, but our email was working fine. Today we finally disabeled "Webblocker" a software addon for Watchguard and the internet works fine.
By Anonymous CowardPosted Thursday 10th July 2008 17:55 GMT
With eerily similar symptoms-- no browser access to web and diags claiming "your hardware is busted bro", while ifconfig (ok, ipconfig, the btard Win version), netstat, netsh, ping, ftp all look and work normally.
XP with ZL, Vista with MacAfee (not my machine that last, just got punted to me with "Internet doesn't work" message. I only use ZL suite/Win or Linux, Linux of course is unaffected by the unwashed mass hysteria).
There will be lots of money for PC fixers here, MS will never admit their failure to fully regression test a patch, and even if they wanted to send out a fix... BwaHahahahah you can't there from here w/o IE! People starving for Internet access wandering the woods looking for succor (for a price)! Next months horse board here I come!
By William MortonPosted Thursday 10th July 2008 18:42 GMT
The reason that the does not have as many virii as the PC is not because it is immune. The reason is simply that relative to the number of PC users the mac is not used by anyone so why write a virus for it. How many businesses run mac servers? how many home users have macs?
I will admit that Windoz is rubbish, pretty much anything written with MS compilers is but if everyone had macs then there wouldnt be less virii just less people with computers. PCs are dirt cheap and plentiful and thats the problem enough malcontents get access and you get malware.
So leave the mac is special out, its only special because relative to PCs not owns one
By Anonymous CowardPosted Thursday 10th July 2008 23:17 GMT
Quite obvious MS in trying to knock the Zone Alarm folks. Their defender etc. is already available and they know most folks will simply stay with it once they remove ZA. Problem is ZA is VASTLY superior. Anyone who think it is unnecessary hasn't truly been around the block. Everything else is inferior, although I am trying Avast on one machine.
By Robert HulleyPosted Friday 11th July 2008 08:34 GMT
Hit my Windows machines too. Good thing I also run a Linux desktop. I could establish what the problem was and fix it fast. But if I had not had net access via Linux, it could have taken ages.
By Eric Earl Posted Friday 11th July 2008 20:31 GMT
Ladies and Gents
Here in the SE USA I too was bitten by the bug.
Symptoms:
Desktop PC through wireless router to DOCSIS modem allowed me full access to email but very short (2 to 3 mins only) access to the WWW.
This PC had Zone Alarm Free edition installed.
Wireless Laptop had no issues at all but did not have Zone Alarm installed nor do I think that updates have been allowed for a couple of weeks.
I de-installed Zone Alarm and still had the same problem,
I de-installed KB951748 and all is back to normal.
I am going to sit back for a spell and wait until the collective suppliers of (Patches/software et al:) fix the issue at which time I will re-install Zone Alarm. I have been very happy with ZA for a couple of years now so indeed want it back on my system and soon.
Thanks all for the heads up.
Incidently, could not find any instance of KB951748 having been installed when I opened Control panel Add/Remove even though "Show Updates" was checked. I had to do a search for the patch then manually de-install it.
Comments on: MS DNS patch snuffs net connection for ZoneAlarm users
don't think it's just Zone Alarm #
By Anonymous Coward Posted Wednesday 9th July 2008 10:11 GMT
Works on my machine... #
By Alastair Smith Posted Wednesday 9th July 2008 10:26 GMT
Workaround #
By G Fan Posted Wednesday 9th July 2008 10:31 GMT
same for me #
By William Morton Posted Wednesday 9th July 2008 10:32 GMT
Curious behavoir #
By Scott Broukell Posted Wednesday 9th July 2008 10:33 GMT
This problem stole 2.5 hours of my life #
By Alex Posted Wednesday 9th July 2008 10:35 GMT
Uninstall the patch? #
By Anonymous Coward Posted Wednesday 9th July 2008 10:45 GMT
Socket entropy and cruddy TCP stacks #
By Rich Posted Wednesday 9th July 2008 10:54 GMT
Passing the buck #
By Craig Posted Wednesday 9th July 2008 10:54 GMT
So, the patch works #
By slack Posted Wednesday 9th July 2008 10:59 GMT
Connection Nobbled #
By Anonymous Coward Posted Wednesday 9th July 2008 11:04 GMT
This caught me out last night. #
By Smallbrainfield Posted Wednesday 9th July 2008 11:05 GMT
Vista vulnerable??? #
By Anonymous Coward Posted Wednesday 9th July 2008 11:10 GMT
Zone Alarm version ? #
By Scott Broukell Posted Wednesday 9th July 2008 11:36 GMT
Vista is not affected by this issue #
By Chris Miller Posted Wednesday 9th July 2008 11:44 GMT
I can't get Maplin today. #
By Mycho Posted Wednesday 9th July 2008 12:22 GMT
Easy way to check #
By Matt Posted Wednesday 9th July 2008 12:29 GMT
@ Vista vulnerable??? #
By Mike Posted Wednesday 9th July 2008 12:30 GMT
Seems Microsoft wont test with typical setups! #
By Tim Posted Wednesday 9th July 2008 12:30 GMT
Ref moving slider down #
By Anonymous Coward Posted Wednesday 9th July 2008 12:44 GMT
Re: Zonealarm & Vista... #
By De_Bunk Posted Wednesday 9th July 2008 12:47 GMT
Zone Alarm problems #
By Anonymous Coward Posted Wednesday 9th July 2008 12:58 GMT
@Craig questionable security practices #
By C. Fuhrman Posted Wednesday 9th July 2008 13:44 GMT
@ all you Zone Alarmists #
By ekimdam Posted Wednesday 9th July 2008 13:53 GMT
@DeBunk #
By Andy Livingstone Posted Wednesday 9th July 2008 13:55 GMT
Diversity #
By Dave Bell Posted Wednesday 9th July 2008 14:13 GMT
@Andy #
By De_Bunk Posted Wednesday 9th July 2008 14:15 GMT
Another workaraound #
By Mike Collins Posted Wednesday 9th July 2008 14:17 GMT
Me too #
By Unkle Al Posted Wednesday 9th July 2008 14:25 GMT
Oh well.... #
By Gis Bun Posted Wednesday 9th July 2008 14:45 GMT
Unaffected #
By Doug Glass Posted Wednesday 9th July 2008 14:57 GMT
Port 25 #
By Doug Glass Posted Wednesday 9th July 2008 15:11 GMT
Affected W/O Zone Alarm #
By Bob Posted Wednesday 9th July 2008 15:28 GMT
Had this last night... #
By Karthik Posted Wednesday 9th July 2008 15:32 GMT
Maybe this is why there was not enough "testing" of the patch... #
By C. Fuhrman Posted Wednesday 9th July 2008 16:18 GMT
Heh #
By Peter Mc Aulay Posted Wednesday 9th July 2008 16:20 GMT
Re: all you Zone Alarmists #
By Funky Dennis Posted Wednesday 9th July 2008 16:25 GMT
Countersoft #
By Alex Posted Wednesday 9th July 2008 16:42 GMT
RE Another Workaround #
By Mike Collins Posted Wednesday 9th July 2008 16:48 GMT
LOL---- Again? #
By Abel Posted Wednesday 9th July 2008 17:09 GMT
MY VISTA DID NOT INSTALL IT #
By john ambrose Posted Wednesday 9th July 2008 18:09 GMT
FAO: Flunky Dennis #
By Anonymous Coward Posted Wednesday 9th July 2008 19:15 GMT
I wonder how many poor sods downloaded this update last night #
By Smallbrainfield Posted Wednesday 9th July 2008 20:32 GMT
Tuesday update cycle, one of which left ZoneAlarm users locked out the internet. #
By Uncledudly Posted Wednesday 9th July 2008 20:37 GMT
Silly wabbit, MACs are for (sumthin'-or-other) #
By Anonymous Coward Posted Wednesday 9th July 2008 21:23 GMT
All popular security products are worse than the problems they suposedly prevent #
By Brent Gardner Posted Thursday 10th July 2008 08:45 GMT
Also affected google log in and my mail #
By Anonymous Coward Posted Thursday 10th July 2008 11:01 GMT
Ha ha ha #
By Paul Ashbrook Posted Thursday 10th July 2008 12:33 GMT
Not Just zonealarm #
By Walter McCann Posted Thursday 10th July 2008 14:19 GMT
ZoneAlarm.... #
By Anonymous Coward Posted Thursday 10th July 2008 15:17 GMT
Zone Alarm update is now available #
By Harry Stottle Posted Thursday 10th July 2008 16:47 GMT
Other software issues #
By Joe Posted Thursday 10th July 2008 16:56 GMT
XP and Vista titsup #
By Anonymous Coward Posted Thursday 10th July 2008 17:55 GMT
to all those "I have a mac im so cleaver" #
By William Morton Posted Thursday 10th July 2008 18:42 GMT
DesktopBSD is free... #
By Anonymous Coward Posted Thursday 10th July 2008 19:03 GMT
MS to BLAME!!! #
By Anonymous Coward Posted Thursday 10th July 2008 23:17 GMT
Patch d/l'd #
By James Summerson Posted Friday 11th July 2008 07:35 GMT
KB951748 #
By Robert Hulley Posted Friday 11th July 2008 08:34 GMT
Partial resolution #
By Eric Earl Posted Friday 11th July 2008 20:31 GMT