An email from my ISP about Windows Messenger
From: Daniel Perdue (perdue_d_at_hotmail.com)
Date: 10/29/03
- Next message: Alun Jones [MS MVP]: "Re: Webpage dialed my modem to ?"
- Previous message: Doug: ""Messenger Service"pop-up/Microsoft Security Bulletin"
- Next in thread: Pent: "Re: An email from my ISP about Windows Messenger"
- Reply: Pent: "Re: An email from my ISP about Windows Messenger"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Oct 2003 18:11:04 -0800
I received this today from My ISP TWC/Road Runner
Customer Care[notifications@hot.rr.com]
Is this true?
It states...
Dear HOT Road Runner Customer:
Rather than wait for the next Internet worm disaster to
hit, this is to advise you of a potentially devastating
issue before it happens. The potential is out there for
exploitative malicious software that can be worse than
the recent SQL Slammer, and Blaster/Nachi incidents!
Microsoft recently announced a newly discovered
vulnerability in the Windows Messenger (NOT MSN
Messenger) service which enables full system compromise.
The Messenger service vulnerability affects basically all
Windows NT, 2000, XP and 2003 systems. (Further "geek
speak" explanation offered below*).
We strongly urge everyone to take steps now to assess and
alleviate your potential exposure to this vulnerability.
It is imperative that you UPDATE YOUR OPERATING SYSTEM as
soon as possible, installing all available "Critical
Updates".
Please visit the following link at your earliest
convenience: http://windowsupdate.microsoft.com
And please remember, neither Microsoft nor Time Warner
Cable or Road Runner will ever send an update patch via
email.
Sincerely,
Your Time Warner Cable High Speed Data Support Team
**********************************************************
*********
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should disable the Messenger
Service immediately and evaluate their need to deploy the
patch.
More information on this Microsoft vulnerability and
patch can be found here:
http://www.microsoft.com/technet/security/bulletin/MS03-
043.asp
Also, see this article:
http://www.auscert.org.au/render.html?it=3535
* Remember the SQL Slammer worm and the havoc it wrecked?
This despite the fact that < .1% of Internet hosts were
vulnerable to the exploit--understandable since very few
consumer Internet users even have SQL server installed.
But since this exploit could propagate via the UDP (User
Datagram Protocol) (with its very low overhead), the
propagation bandwidth consumed by even a single infection
was only limited by the processing power of the host,
usually 10-50Mbps. Fortunately, the worm utilized port
1434 which is relatively unneeded for most Internet
users, thus ISPs were able to quickly contain the worm by
simply filtering on this port.
Consider the impact of a new worm with the following
attributes:
* UDP based (like Slammer)
* 20-30% of Internet hosts vulnerable to exploit
* Propagation via a port that cannot be easily filtered
The wait may be over. On October 15, Microsoft announced
a newly discovered vulnerability in the Windows Messenger
(NOT MSN Messenger) service which enables full system
compromise. The Messenger service is accessible via
udp/135 (which many ISPs are already filtering), however
it also listens on the first UDP ephemeral port (ports
1025), usually udp/1026. Security researchers have
confirmed that the exploit can be vectored via udp/1026.
Unfortunately, normal user requests often use this same
port for things like DNS queries, thus it will likely be
impossible to filter this port without significant
collateral damage. The Messenger service vulnerability
affects a vast number of hosts, basically all Windows NT,
2000, XP and 2003 systems.
If we're lucky there will be some other identifying
attribute of this worm's traffic which will enable
filtering, however, we strongly suggest everyone take
steps now to assess and mitigate your potential exposure
to this vulnerability.
A free scanner is available from eEye here:
http://www.eeye.com/html/Research/Tools/MSGSVC.html
- Next message: Alun Jones [MS MVP]: "Re: Webpage dialed my modem to ?"
- Previous message: Doug: ""Messenger Service"pop-up/Microsoft Security Bulletin"
- Next in thread: Pent: "Re: An email from my ISP about Windows Messenger"
- Reply: Pent: "Re: An email from my ISP about Windows Messenger"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
