Microsoft Office Excel 2003 SP2 11.6560.6568 breaks through firewalls!

[c627627]

EDIT: Problem solved. Zone Labs told me to turn off the SmartDefense advisor.

That would be: Program Control > Main TAB > Set SmartDefense advisor to "Manual."


Setting SmartDefense advisor to 'Manual' instead of 'Auto' appears to catch exe files sending info & code from my system once again.

I asked them if SmartDefense advisor was always set to 'Auto' in previous versions of ZoneAlarm because this is the first time I noticed an exe file not being intercepted by ZoneAlarm, after using it for years.

==========
Posted before the above EDIT:

Copy contents of an Internet page then try to paste it inside Microsoft Word 2003 SP2, what happens? Firewall software such as ZoneAlarm 5.5.094.000 warns you that MS Word is trying to access the internet (so that it can paste the contents of the web page you copied with formatting.)

Of course, while it's out there, it will also phone home with information about the installed software on your system. From what I understand, if it finds it not to be legitimate, it will disable not only Microsoft Office but also other software on your system (Norton AntiVirus for example).

This is not a discussion on whether it should or should not do that, there are plenty of other threads about that.


But here's a twist: Excel 2003 SP2 appears to blow right through ZoneAlarm, blow right through the Firewall and phone home anyway.

So while even Word and most exe files can be allowed/blocked from accessing the internet, Excel 2003 is not intercepted, and phones home unless you specifically prohibit the version of EXCEL.EXE installed on the system from accessing the internet.

If you upgrade Excel through Service Packs, etc., the version of EXCEL.EXE changes and it promptly installs itself again as having full permissions to phone home, even though you specifically blocked EXCEL.EXE from accessing the internet before the update. This is because you blocked the previous version of EXCEL.EXE.

Again, this is not about software phoning home, this is about Microsoft Office Excel 2003 bypassing firewalls without permission.

As we know, plenty of Excel macros have been known to wreck havoc with legitimate copies of Microsoft Excel, what if they use Excel as a Trojan to bypass firewalls? Is this legal?

 

[Thor86]

Umm, before you cry about this, are you sure you don't have your program settings to automatically learn and allow connections in ZA?

 

[c627627]

Just to be sure, I removed all program permissions from ZoneAlarm.

Started Internet Explorer and tried to load any web page.
(Sure enough, ZoneAlarm asked for permission for Internet Explorer to access the internet.)

Then I copy-pasted into Excel 2003.
Excel 2003 then accessed the internet without asking.


Even Microsoft Word 2003 asks for permission to access the internet. It will not access it if you do not allow it. All other legitimate exe files ask for and obey firewall permissions.

Microsoft Excel 2003 does not even though no other program on the test system, including the browser, had permissions to automatically access the internet without asking.

 

[bruceb]

Simple and easy fix ... setup the firewall in a Router ... let's see Microsoft change it there
And there should be no reason for excel to view the web page in order to copy
Just save the page from IE on your hard drive ... you should be able to open the saved
web page even if the internet cable is completly disconnected

Also, I am not sure, but if you run Zone Alarm Pro, I think you can
set a Password so that settings Can Not Be changed without it

 

[JackMDS]

LOL Conspiracy theories on AT.:shocked::Q:brokenheart:

Both Word and Execel (as well as other Office 2003 applications) can be set to levels of interaction with an Internet connection.

Example, look at Words Options, General tab seventh line ?Update Automatic Links at Open?. If this checked every time you load a document with URL, it would try to connect to the Internet to update the links.

Might be that you want to spend some time learning how the Options of the Suit's programs work.

In addition might be that you want to look at your firewall?s log and see if indeed the connection is to Microsoft.com, or may be to the site that is involved with what ever else you are doing at the time.

:sun:

 

[c627627]

Note that Word 2003 does not bypass firewalls. It is caught (just as every legitimate exe file is) by a firewall which then asks you for permission to let it access the internet.

By the way, Word > Options > General TAB > Seventh line ?Update Automatic Links at Open? being CHECKED or UNCHECKED, has no effect on pasting with formating from the internet. Word will try to access the internet either way, but the firewall catches its attempts.

It's Excel that bypasses the firewall, unless specific version of EXCEL.EXE used is set as blocked before it's started.

Originally posted by: JackMDS
LOL Conspiracy theories on AT.:shocked::Q:brokenheart: Might be that you want to spend some time learning how the Options of the Suit's programs work. In addition might be that you want to look at your firewall?s log and see if indeed the connection is to Microsoft.com, or may be to the site that is involved with what ever else you are doing at the time.:sun:

All right then, I did further tests, there is a modification: Excel does not change Firewall settings once they are set for the version of EXCEL.EXE that is being run.

Explanation:

1. Every time EXCEL.EXE is removed from ZoneAlarm completely,
2. It will list itself back as having permissions to access the internet, without notifying you.

However, if those permissions are changed to "blocked," Excel will not change them.

Also, if you block EXCEL.EXE but then install a service pack, the updated EXCEL.EXE again lists itself back as having full permissions to access the internet, to see if it should disable your software, without notifying you.

See, my operating system drive image had EXCEL.EXE 11.0.6355 blocked. It was blocked before Service Pack 2 was installed.

Once SP2 was installed, EXCEL.EXE version changed to 11.0.6560 and promptly set itself as having permissions to access the internet, automatically bypassing firewalls without notification.

So this is about EXCEL.EXE setting itself as having permissions to access the internet without notifying you.

WINWORD.EXE and all other legitimate exe files, are caught by the firewall when trying to access the internet.


Side note: Once EXCEL.EXE is blocked, whenever you try to paste with formating from any internet page, the hour glass will be permanently stuck until you force exit Excel. Of course, pasting without formating (Paste Special) does not require accessing the internet.

 

[Smilin]

Dude, have you taken a network trace to see if excel is actually trying to go out through the firewall or are you just making this crap up as you go?

 

[sswingle]

Originally posted by: c627627
Note that Word 2003 does not bypass firewalls. It is caught (just as every legitimate exe file is) by a firewall which then asks you for permission to let it access the internet.

By the way, Word > Options > General TAB > Seventh line ?Update Automatic Links at Open? being CHECKED or UNCHECKED, has no effect on pasting with formating from the internet. Word will try to access the internet either way, but the firewall catches its attempts.

It's Excel that bypasses the firewall, unless specific version of EXCEL.EXE used is set as blocked before it's started.

Originally posted by: JackMDS
LOL Conspiracy theories on AT.:shocked::Q:brokenheart: Might be that you want to spend some time learning how the Options of the Suit's programs work. In addition might be that you want to look at your firewall?s log and see if indeed the connection is to Microsoft.com, or may be to the site that is involved with what ever else you are doing at the time.:sun:

All right then, I did further tests, there is a modification: Excel does not change Firewall settings once they are set for the version of EXCEL.EXE that is being run.

Explanation:

1. Every time EXCEL.EXE is removed from ZoneAlarm completely,
2. It will list itself back as having permissions to access the internet, without notifying you.

However, if those permissions are changed to "blocked," Excel will not change them.

Also, if you block EXCEL.EXE but then install a service pack, the updated EXCEL.EXE again lists itself back as having full permissions to access the internet, to see if it should disable your software, without notifying you.

See, my operating system drive image had EXCEL.EXE 11.0.6355 blocked. It was blocked before Service Pack 2 was installed.

Once SP2 was installed, EXCEL.EXE version changed to 11.0.6560 and promptly set itself as having permissions to access the internet, automatically bypassing firewalls without notification.

So this is about EXCEL.EXE setting itself as having permissions to access the internet without notifying you.

WINWORD.EXE and all other legitimate exe files, are caught by the firewall when trying to access the internet.


Side note: Once EXCEL.EXE is blocked, whenever you try to paste with formating from any internet page, the hour glass will be permanently stuck until you force exit Excel. Of course, pasting without formating (Paste Special) does not require accessing the internet.

So essentially, you just proved yourself wrong. What seems to be the issue is Zone Alarm deciding on its own what programs should be allowed before you tell it to not allow them. As you said yourself, once you tell it to not allow Excel, its no longer allowed and stays that way.

/thread

 

[c627627]

There's nothing personal about any of this, it's very simple, does Excel 2003 show up in ZoneAlarm as having full Internet access or not for you, after you:


Go to ZoneAlarm > Program Control (on the left) > Programs TAB >
scroll down to Microsoft Office Excel (if it's there)

Now right click on it > Remove


OK now start Excel 2003, and copy into it part of any web page (with pictures, so that it has formating.)



Did Excel 2003 just show up in ZoneAlarm as having full Internet access or not for you?


Played around with this more to discover that new Adobe products (new Photoshop, Illustrator, etc. do this as well.)

Just like Excel 2003, they also send info out, automatically bypassing the firewall without being intercepted.

 

[sswingle]

Originally posted by: c627627
There's nothing personal about any of this, it's very simple, does Excel 2003 show up in ZoneAlarm as having full Internet access or not for you, after you:


Go to ZoneAlarm > Program Control (on the left) > Programs TAB >
scroll down to Microsoft Office Excel (if it's there)

Now right click on it > Remove


OK now start Excel 2003, and copy into it part of any web page (with pictures, so that it has formating.)



Did Excel 2003 just show up in ZoneAlarm as having full Internet access or not for you?


Played around with this more to discover that new Adobe products (new Photoshop, Illustrator, etc. do this as well.)

Just like Excel 2003, they also send info out, automatically bypassing the firewall without being intercepted.

Yes, and that happens, because Zone Alarm is programmed to allow certain applications by default to make the users life easier. All that is happening is that more programs are trusted by default that you need to go in and tell zone alarm otherwise.


I fail to see the problem.

 

[c627627]

Yes, version 6 of ZoneAlarm was set to allow internet access to certain applications by default.

However, it is my understanding that version 5 was not. It is set to by default detect and notify you of anything sending info out of your system. That means your browser, everything. You then choose to allow or block transfer of information and code into and from your system.


Back to the issue, the problem is yet to be verified: Does Excel 2003 SP2 by default bypass all firewall software without notifying you or not? Is that not a legitimate question?


Of course I understand the thought process that "fails to see the problem." It resulted in statements like this:

Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.
Microsoft
January 3, 2006


So, yes, restrict your browsing to safe places, that makes sense, right?

OK, now click here for a screen shot of what some of the rest of us thought about when they heard that:
http://www.c627627.com/IMG/AnandTech/trusted.jpg

 

[NuroMancer]

Also, instead of seeing this as an Excel issue.

Why not look at the firewall. If as you say it bypasses the firewall with no user warning or notification, I see that as an issue with the Firewall as well. Why does it allow a program to set itself up with full permission to access the internet?

Personally I see it as more of an issue with your firewall, zone alarm. For allowing it to happen.

The other question I have, as I've never checked is, does copy and then paste into excel or word Actually need internet access. I don't believe it does. So why do either program need to access the internet at all?

 

[c627627]

Agreed.

Yes. this is about firewalls, not about apps phoning home. They did that for years, but ZoneAlarm has been detecting them for years. So 'did Microsoft and Adobe do something different with these new versions to make them bypass firewalls by default' question still stands.


If anyone is using different firewall software that is by default set to detect all programs accessing the Internet, can you replicate this?


The interesting thing about Microsoft Office 2003 is that Excel component does this but Word does not.

So remove Word and Excel firewall settings completely then:

1. Paste the contents of an internet web page with formatting into Word 2003 SP2. (You should see Firewall spring up to inform you that WINWORD.EXE is trying to access the internet.)

2. Now paste the contents of an internet web page with formatting into Excel 2003 SP2. (Firewall does not inform (me) that EXCEL.EXE is trying to access the internet, it just assigned full access rights to EXCEL.EXE.)

EDIT:
Problem solved. Zone Labs told me to turn off the SmartDefense advisor.

That would be: Program Control > Main TAB > Set SmartDefense advisor to "Manual."


Setting SmartDefense advisor to 'Manual' instead of 'Auto' appears to catch exe files sending info & code from my system once again.

I asked them if SmartDefense advisor was always set to 'Auto' in previous versions of ZoneAlarm because this is the first time I noticed an exe file not being intercepted by ZoneAlarm, after using it for years.

 

[c627627]

Just wanted to inform who ever cares that I've just finished the Back & Forth with ZoneLabs with the following conclusions:

1. ZoneAlarm Standard Free version is not affected. It is still stellar, intercepting anything trying to exchange code & info from your system and it does this by DEFAULT.

2. Only ZoneAlarm Professional versions (5.x as well as 6.x) appear to be affected. In other words, ironically, you pay - to upgrade - to be more vulnerable (at least by default).

3. If you need the convenience of Backing up & Restoring program settings that the Pro version offers, there actually is a way to revert to Free version WHILE keeping the restored settings of the Pro version:

To revert from Pro version to Standard Free version, start uninstalling the program
(or double click on C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe)

You'll get the Uninstall ZoneAlarm Pro window but instead of clicking on Uninstall button,
click on Load Survey then SELECT: Switch to ZoneAlarm > Next

To switch back to Pro version from Standard Free version: ZoneAlarm > Overview (on the left) >
Product Info TAB > Change Lic. button > Enter license key > OK > OK
[Because the Pro version allows for all settings to be saved:
ZoneAlarm > Overview (on the left) > Preferences TAB > Backup or Restore ]


4. If using the Pro version, be sure to turn off the SmartDefense advisor
(it used to be called AlertAdvisor in version 5):
Program Control > Main TAB > Set SmartDefense advisor to "Manual" or "Off"

to be informed the first time programs 'phone home' (and elsewhere.)
(You can then set permanent settings for those intercepted programs.)

If this is not done and this Pro setting is left on "Auto"
programs may bypass firewalls to 'phone home' (and elsewhere.)


5. If you don't turn SmartDefense advisor (AlertAdvisor) off, then if you install updates, Service Packs, etc., the versions of .exe files change, so permanent settings applied before, do not apply any more. Therefore, apps may bypass the firewall.

By the way, you can also choose to manually block programs from accessing the internet:

ZoneAlarm > Program Control (on the left) > Programs TAB >
In the lower right corner, click on Add button > Browse to program .exe file >
Open (to add it to the list) >
Now left click on the question mark (?) under Access Trusted > Block


If 'nothing happens,' there may already be a previous version of the program on the list so you need to first right click on it on the list > Remove.


6. Pasting with formatting into MS Office applications from an internet web page
activates the 'phone home' process. However, if you click on Paste
(and the Microsoft Office program is blocked from accessing the internet),
MS Office application freezes (with an eternal hour glass.)

This does not happen for pasting without formatting: Edit > Paste Special...