Zone Labs has issued a security advisory warning of a vulnerability in
the ZoneAlarm firewall that could be exploited by malicious code to
trick the firewall into allowing it to connect to the Internet. The
flaw affects the free ZoneAlarm firewall, default installations of
versions 5.5 and earlier of the paid firewall as are default
installations of the Check Point Integrity Client; paid ZoneAlarm
products 6.0, which were released in July, do not have this
vulnerability. Zone Labs does not plan to fix the vulnerability in its
free product as it considers the flaw "low risk"; the paid products are
protected because of their additional technology.
http://news.com.com/2102-1002_3-5886488.html?tag=st.util.printhttp://download.zonelabs.com/bin/free/securityAlert/35.html
[Editor's Note (Honan): I hope the reasons for not patching the free
version of Zone Alarm is because the vulnerability is a "low risk" and
not a ploy to force people to purchase the professional version of the
software. Many ordinary non-IT users protect their machines using the
Zonealarm's free product and these users are the very ones often
targeted for attacks. This "low risk" vulnerability could prove not to
be the case.]