The extremely popular firewall, ZoneAlarm, has been dealt a nasty blow with a "highly critical" security hole that allows system access to remote users i.e. the worst possible situation.
The hole affects the most recent version of ZoneAlarm - version 4 - and users with the software's update facility turned on were this morning warned to upgrade and asked to download and run a 4.8MB patching file.
The vulnerability itself is an unchecked buffer in the fundamental e-mail protocol SMTP. ZoneAlarm's creators Zone Labs warned that sufficiently exploited, "a skilled attacker could cause the firewall to stop processing traffic, execute arbitrary code, or elevate malicious code’s privileges".
However, the company only gives the hole a "Medium" warning explaining that for the hole to be exploited, the system would have to be acting as an SMTP server and that ZoneLabs "does not recommend using our client security products to protect servers".
The hole itself was discovered by eEye Digital Security - the company which shot to fame last week for discovering the huge ASN hole in Windows.
Zone Labs recommends that all ZoneAlarm users upgrade their software. It has posted a webpage covering the hole with download links to its upgrades.