Re: An email from my ISP about Windows Messenger

From: Pent (pent)
Date: 10/29/03 

Date: Tue, 28 Oct 2003 21:50:44 -0500

Use a firewall.

For example,
http://www.kerio.com/us/kpf_home.html

You can disable NT Messenger Service. I don't need it so i disabled it
myself.

"Daniel Perdue" <perdue_d@hotmail.com> wrote in message
news:050701c39dc1$e7eddbc0$a601280a@phx.gbl...
> I received this today from My ISP TWC/Road Runner
> Customer Care[notifications@hot.rr.com]
>
> Is this true?
>
> It states...
>
> Dear HOT Road Runner Customer:
>
> Rather than wait for the next Internet worm disaster to
> hit, this is to advise you of a potentially devastating
> issue before it happens. The potential is out there for
> exploitative malicious software that can be worse than
> the recent SQL Slammer, and Blaster/Nachi incidents!
>
> Microsoft recently announced a newly discovered
> vulnerability in the Windows Messenger (NOT MSN
> Messenger) service which enables full system compromise.
> The Messenger service vulnerability affects basically all
> Windows NT, 2000, XP and 2003 systems. (Further "geek
> speak" explanation offered below*).
>
> We strongly urge everyone to take steps now to assess and
> alleviate your potential exposure to this vulnerability.
> It is imperative that you UPDATE YOUR OPERATING SYSTEM as
> soon as possible, installing all available "Critical
> Updates".
>
> Please visit the following link at your earliest
> convenience: http://windowsupdate.microsoft.com
>
> And please remember, neither Microsoft nor Time Warner
> Cable or Road Runner will ever send an update patch via
> email.
>
> Sincerely,
>
> Your Time Warner Cable High Speed Data Support Team
>
>
>
>
> **********************************************************
> *********
> Impact of Vulnerability: Remote Code Execution
>
> Maximum Severity Rating: Critical
>
> Recommendation: Customers should disable the Messenger
> Service immediately and evaluate their need to deploy the
> patch.
>
> More information on this Microsoft vulnerability and
> patch can be found here:
> http://www.microsoft.com/technet/security/bulletin/MS03-
> 043.asp
>
> Also, see this article:
> http://www.auscert.org.au/render.html?it=3535
>
> * Remember the SQL Slammer worm and the havoc it wrecked?
> This despite the fact that < .1% of Internet hosts were
> vulnerable to the exploit--understandable since very few
> consumer Internet users even have SQL server installed.
> But since this exploit could propagate via the UDP (User
> Datagram Protocol) (with its very low overhead), the
> propagation bandwidth consumed by even a single infection
> was only limited by the processing power of the host,
> usually 10-50Mbps. Fortunately, the worm utilized port
> 1434 which is relatively unneeded for most Internet
> users, thus ISPs were able to quickly contain the worm by
> simply filtering on this port.
>
> Consider the impact of a new worm with the following
> attributes:
>
> * UDP based (like Slammer)
> * 20-30% of Internet hosts vulnerable to exploit
> * Propagation via a port that cannot be easily filtered
>
> The wait may be over. On October 15, Microsoft announced
> a newly discovered vulnerability in the Windows Messenger
> (NOT MSN Messenger) service which enables full system
> compromise. The Messenger service is accessible via
> udp/135 (which many ISPs are already filtering), however
> it also listens on the first UDP ephemeral port (ports
> 1025), usually udp/1026. Security researchers have
> confirmed that the exploit can be vectored via udp/1026.
> Unfortunately, normal user requests often use this same
> port for things like DNS queries, thus it will likely be
> impossible to filter this port without significant
> collateral damage. The Messenger service vulnerability
> affects a vast number of hosts, basically all Windows NT,
> 2000, XP and 2003 systems.
>
> If we're lucky there will be some other identifying
> attribute of this worm's traffic which will enable
> filtering, however, we strongly suggest everyone take
> steps now to assess and mitigate your potential exposure
> to this vulnerability.
>
> A free scanner is available from eEye here:
>
> http://www.eeye.com/html/Research/Tools/MSGSVC.html

Relevant Pages

  • Re: Unwanted Pop Up Ads
    ... > I said that disabling a service don't make a system MORE vulnerable. ... UNLESS you have applications in need of that port. ... Although disabling the messenger service does not make the system "more ... a warning sign of the vulnerability. ...
    (microsoft.public.security)
  • Re: Solution for: Unwanted Popup Messages Exploiting C:Windowssystem32svchost.exe
    ... >software to turn off Messenger for you. ... Should you block the port? ... access, are you?), so use a firewall. ... Leave the Messenger Service enabled - that way, you'll know immediately, by ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Computer has been hacked
    ... George--if he's receiving messenger popups nothing is blocking port 139. ... awry--any firewall worth its salt should block port 139. ... Turning off the messenger service is shooting the messenger. ...
    (microsoft.public.security)
  • Re: Adcaster - argh
    ... > ads via Windows Messenger to known IP addresses. ... the Windows Messenger IM client which comes with Windows XP; ... Messenger Service, which listens on port 135, and sometimes the lower ... It sounds at first like the last one; Windows Messenger Service. ...
    (microsoft.public.security)
  • VideoConf Nightmare
    ... Firewall Router so you can read the instructions on How ... >instructions (from your reply to "audio on messenger" on ... >But as stated, all appeared to work, however, the UPnP ... More on firewall and port opening can be ...
    (microsoft.public.windowsxp.messenger)