An attacker could use a bypass vulnerability in Zone Lab's ZoneAlarm Pro software to lure users to malicious sites, according to IT consulting firm Kurczaba Associates. But the vendor said there is "no potential" for it to be exploited on a mass scale.
The firm said in its advisory that the problem was uncovered during testing on a Windows XP Professional machine running ZoneAlarm Pro 5.0.590.015. The machine was also equipped with Internet Explorer 6.0 and all patches.
The problem lies in ZoneAlarm Pro's mobile code filter, which integrates with Internet Explorer. The filter blocks potentially dangerous Web objects such as ActiveX, Java Applets and certain MIME objects. It also blocks out any "application/*" MIME type.
"Unfortunately," the advisory said, it does not filter content on the secure sockets layer (SSL), a commonly used protocol for managing the security of a message transmission on the Internet. "A malicious person could lure a ZoneAlarm Pro user to a malicious SSL site with dangerous mobile code content; and ZoneAlarm Pro would not filter the mobile code."
Greg Or, CEO and founder of San Francisco-based Zone Labs, said the company has reviewed the matter and determined that "there is no potential for this to be exploited in the wild on a mass scale."
"Internet Explorer has a default configuration that prevents this from being taken advantage of," Or said. "The user gets a message that someone is trying to download software. For an exploit to be successful, someone would have to put an SSL server on a hijacked Web site. That's very, very hard to do."
Kurczaba Associates had not responded to a request for additional information at this writing.