Direct Ads Security Hole!!!!

From: Brian Wilson (talktome@canoemail.com)
Date: 10/29/02 

From: "Brian Wilson" <talktome@canoemail.com>
Date: Tue, 29 Oct 2002 06:16:38 -0800

I would like to know what Microsoft is going to do about
this security problem.

As reported on CNN this week:

"A developer of bulk-mail software has figured out how to
blast computers with pop-up spam over the Internet
through a messaging function on many Windows operating
systems. But there's a difference: Anyone can send the
messages, and there's no need for the user to have an
Internet browser open."

They are messages sent DIRECTLY to your computer. They
are not email messages and do not use your browser. They
are "completely anonymous and virtually untraceable" and
can pop up on your computer at any time.

"Now somebody on the other side of the world can send pop
up messages direct to your screen, without email and
without a browser !" - Chris Hopkins Security Engineer

How do DirectAds work ?
By tapping into Messenger Service, a service originally
designed to enable system administrators to send messages
to users on a network, a new program called Direct
Advertiser can deliver these ads straight to your
computer screen. Since DSL, Cable Modems and Dial-Up all
connect to a network, anytime you are online, your
computer is vulnerable to these pop up ads.

Messenger Service uses the same system to communicate
that is used for Windows File and Printer Sharing, so you
can't just block that system without causing other
problems. Even most Firewalls leave this system open.
This leaves a gaping hole in your computer that DirectAds
can use to force advertising or other information to pop
up on your screen.

Messenger Service is enabled by default on Windows 2000,
NT and XP systems, and optional on Windows 95, 98, and
ME. This means that millions of systems are vulnerable to
these pop up ads. (The Windows Messenger service is not
to be confused with Microsoft's MSN Messenger chat client)

Relevant Pages

  • Re: Direct Ads Security Hole!!!!
    ... > are not email messages and do not use your browser. ... > By tapping into Messenger Service, ... > computer is vulnerable to these pop up ads. ... > that is used for Windows File and Printer Sharing, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Reporting pop-up ads to Microsoft?
    ... Is there a link where I can report which ads get thru to ... That's because to receive a messenger spam you don't need to have an email account, chat client, or Web browser. ... The software utilizes Microsoft Windows Messenger Service, which is turned on by default and used by administrators to send messages to users on the network. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Ad Caster
    ... I have been getting ads via windows messaging service ... security problem with windows. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: pop-ups
    ... Disabling Messenger Service can be a good idea, ... The ads are not the real problem, the ads are only a symptom. ... AOL is not compatible with Windows XP Internet Connection Firewall ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unknown process running
    ... > is using ADS to conceal itself from the completely inadequate utilities ... > Microsoft gave you with Windows like Windows Explorer that as recently as ... > monumentally bad security problem. ... > see root kits if you boot to another OS such as the Linux rescue disk from ...
    (microsoft.public.security)