Security Advisory: Outpost not blocking traffic on Windows shutdown

[Paranoid2000]

It has been discovered that during Windows shutdown, Outpost does not block traffic allowing unsolicited incoming traffic to access systems for a short period of time. This depends on system configuration but testing has shown this to be in the region of 3-10 seconds (though a 20-second window was encountered in a test with Outpost 2.7). While this issue was discovered with Outpost 3.0, all earlier versions of Outpost should be assumed to be affected also.

There may also be a similar issue on Windows startup - this is likely to depend on what other software is installed and order of installation (part of the problem being that most security software now tries to run first, which means that previously installed programs get pushed farther back in the startup sequence). Windows of 2-10 seconds have been reported so far.

What should I do?
While this is a very short time (and any successful attack would almost immediately be terminated by Windows itself closing down), there is still the possibility of systems being compromised. Until this is fixed, the forum leaders would advise users to disconnect physically from the Internet (unplugging cables or network cards) before shutting down Windows. Running a complete system scan with an updated anti-virus scanner would also be a prudent step to check for any compromise.

If you have a router that uses NAT (Network Address Translation) or has its own firewall blocking incoming traffic, then your system is unlikely to be at risk of compromise from outside. However applications on your system may have unrestricted access during this time, so following the above advice on disconnection may still be desirable.

When will a fix be available?
Outpost 3.0 build 558/438 (currently in beta) is supposed to fix this (and does appear to, from tests done so far). No date is available for when this will be publicly released.

How can I test this on my system?
You will need another computer in a local network with your first to verify this. Use it to ping your first system (running Outpost, ensure that it is configured to block incoming Echo Request/outgoing Echo Replies in its ICMP settings) continuously using a command like ping -t <first system's IP address> while starting and then shutting down Windows. Most of the time no response should be received but where one is, it indicates what your system is unprotected.

Who discovered this?
This was first reported in the Russian Five forum in the thread OF 3.XX + reboot/shutdown/poweroff Windows XP (English translations available via SysTran or Babelfish - though Babelfish was giving an error with this page) and subsequently confirmed by Agnitum.

Why the delay in making this announcement?
Forum leaders first received a query about this in mid-December and wished to investigate further. However checking this vulnerability does require a local network with multiple PCs which most of us lack. In addition, the holiday season has meant extra delay in verifying the extent of this problem.

To discuss this topic further, please use the "Window of Vulnerability" follow-up thread.