[原文]The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mobile code within an SSL encrypted session, which could allow remote attackers to bypass the mobile code filtering. NOTE: it has been disputed by the vendor that this behavior is required by the SSL specification.
ZoneAlarm Pro Mobile Code Filter Protection Bypass
Remote / Network Access
Loss of Confidentiality
According to the advisory, ZoneAlarm Pro contains a flaw that may allow a remote attacker to bypass the 'Mobile Code' filter. The 'Mobile Code' blocking feature filters malicious Web objects and any 'application/*' MIME type, but does not filter SSL content. A remote attacker could create a malicious SSL Web page and bypass the Mobile Code filter.
According to the vendor, "ZoneAlarm Pro, Security Suite and Integrity products which employ Mobile Code Protection/ID Lock features do not inspect encrypted
traffic. If mobile code is downloaded via a Secure Sockets Layer (SSL) session, it will not be inspected by these products. This is by design and mandated by the SSL Protocol specification."