Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging
From: Greg Corey (gregc@TARASOFTWARE.COM)Date: 03/20/02
- Previous message: Russ: "Administrivia #35856 - Revised MS Security Bulletin Notification to NTBugtraq"
- Maybe in reply to: Dimitrios Petropoulos: "Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
- Next in thread: Michel Arboi: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
- Next in thread: Russ: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
- Reply: Michel Arboi: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Mar 2002 09:05:12 -0600 From: Greg Corey <gregc@TARASOFTWARE.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Microsoft shipped MSN Messenger 4.5 for MS Exchange in mid-November of 2001.
Version 4.6 shipped in January 2002.
While your findings may be valid for current versions of the product, it's
hard to know what credence to give to them. Additionally, your concerns
seem unreasonable to me given the nature of the medium. SMTP certainly
isn't any more secure -- quite the opposite. Extensive security additions
to the service would increase the amount of traffic generated by an IM
session, dramatically increase the size of the executable, and nullify
Microsoft's intended "standardization" of the protocol.
I will grant you that firewalling is a challenge, and Microsoft could use
fixed ports for the protocol. I suspect that many on this list would then
point out that fixed ports can be a security liability too.
Instant Messaging is intended as a faster alternative to SMTP E-mail -- in
that context, an expectation of any level of security greater than that
offered by SMTP seems unrealistic.
-- Greg Corey, Network Manager, MCSE 2000 Early Achiever, MCSE+I
Tara Software, Inc. is a Microsoft Gold Certified Partner for E-Commerce
Solutions
608.274.9945 x240 http://www.tarasoftware.com
http://www.codevelopmentworks.com
Is your security this tight?
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q276304
-----Original Message-----
From: Dimitrios Petropoulos [mailto:d.petropoulos@ENCODE-SEC.COM]
Sent: Tuesday, March 19, 2002 7:36 AM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Potential vulnerabilities of the Microsoft RVP-based Instant
Messaging
The Encode Security Labs performed an empirical analysis of the Microsoft
Instant Messaging implementation based on Exchange 2000 and using the MSN
Messenger Service v3.6 client.
The most important findings about the IM service are:
-it does not offer any confidentiality
-it is vulnerable to man-in-the-middle attacks
-its authentication methods are weak and only employ unilateral
authentication -it does not offer any form of data origin authentication
-the IM service is not easy to firewall since the server uses arbitrary port
numbers to deliver messages to clients
The report is available (in PDF format) from
http://www.encode-sec.com/security.html
Vendor notification status: Microsoft was contacted on 24 January 2002
-----------------------
Dimitrios Petropoulos
MSc InfoSec, CISSP
Director, Security Research & Development
ENCODE S.A.
3, R.Melodou Str
151 25 Marousi
Athens, Greece
Tel: +3010-6178410
Fax: +3010-6109579
Mob: +30944-506334
web: www.encode-sec.com
------------------------
- Previous message: Russ: "Administrivia #35856 - Revised MS Security Bulletin Notification to NTBugtraq"
- Maybe in reply to: Dimitrios Petropoulos: "Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
- Next in thread: Michel Arboi: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
- Next in thread: Russ: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
- Reply: Michel Arboi: "Re: Potential vulnerabilities of the Microsoft RVP-based Instant Messaging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
