Bob Sundling has written a program that shows that the "added
protection" offered by firewalls performing outbound filtering
is purely illusory. Today's firewalls perform outbound filtering
by ensuring that only "trusted programs" are allowed to send and
receive data. However, malicious applications can commandeer
"trusted programs" and use them to communicate with the network.
Mr. Sundling reasons.............


http://www.incidents.org/diary/november01/110501.php#1

Interesting reading...especially the source code in the CPP file (not that I understand much of it - I refer to the comments included).

Can't find fault in Sundling's reasoning.

There have been 4 or 5 of these Leak Tests issued lately !
Look and Stop is covered and Outpost are actively looking to put out a patch while we can expect others to follow suite in the next few days !

However, this is code that has not been effective from without. It had to be initiated from within. But, as the truth stands, there are always ways to scan around a firewall, especially a software firewall which sits in the back of a system and takes no action until a connection has been made to the host. I would state that under normal circumstances there's no need to panic. This is an extreme example of a possibility. Now, if this code was integrated with an effective backdoor, then there's a chance it could become a problem.

Quote from Interceptor, posted on Nov. 08 2001, 11:55 am
Now, if this code was integrated with an effective backdoor, then there's a chance it could become a problem.

That is the whole point behind these LEAK TESTS !
To show that something needed to be done before some "Genious" takes advantage of these weaknesses in the current firewalls set ups !

Yes, I certainly realize that fact and I am not downplaying the issue. I'm merely stating that this particular issue has now been exposed and I don't want people dumping their software firewalls because they think it won't protect them, which is an incorrect assumption. This is but one of several exploits a firewall deals with. Fortunately, coding like this would more than likely be joined with a modified existing backdoor than have a backdoor written purely in an attempt to exploit the vunerability. Keeping that in mind, remember that the code the trojan were using (if a trojan was the catalyst) also has to pass a virus scanner or trojan detection system.

There will ALWAYS be ways around the tools we use to safeguard our privacy. That is why users must remember there is no "install and forget" tool they can use and walk away from. Anything you use has to be constantly monitored and upgraded.

I agree. Given the fact that (a) there currently ARE no attacks using this exploit and (b) that the firewall companies are now all over the issue (albeit having been dragged kicking and screaming there to address it), I haven't changed either my opinion of the need to use a firewall or my willingness to use one. I'm certainly not panicking over this issue. Pete