Attackers Gearing Up To Exploit Windows Messenger Security Hole

Released earlier this week, the exploit code - which has been crafted to run not only on attackers' Windows machines, but also on Linux and Unix boxes -crashes Windows systems not patched against a vulnerability released last week.

The vulnerability, which Microsoft rated as 'Critical' when it released several bulletins in its first-ever monthly patch roundup, is in the Windows Messenger Service. Not to be confused with Windows Messenger, Microsoft's instant messaging platform, Windows Messenger Service is used by applications to communicate with each other, and often by enterprise network administrators to alert users of such things as impending server shutdowns or the unavailability of print servers.

Most users will have had at least some experience with Windows Messenger Service, which is used by some spammers to pop up text message spam onto their desktops.

"The Windows Messenger Service vulnerability is clearly the most significant of those released last week by Microsoft," said Vincent Weafer, senior director of Symantec's security response center, because it's enabled by default on Windows, part of virtually all editions of the operating system, and easily exploited.

"This could be as serious as MSBlaster," Weafer said, if the code - which is essentially proof that the vulnerability can be exploited - is used by attackers to craft a Trojan horse, or worse, a rapidly-spreading worm.

"It's likely that we'll see a worm based on this exploit," Weafer added.

Ken Dunham, the malicious code director for iDefense, a security intelligence firm in Reston, Va., noted that not only has his team tracked the various exploit codes being distributed on security mailing lists, but that they have spotted code that could make systems even more vulnerable.

While the original exploit code only crashed Windows machines - particularly those running Windows 2000 Service Packs 3 and 4 - iDefense has now identified a program which could take advantage of the buffer overflow vulnerability in Windows Messenger Service to run an attacker's own code on the compromised machine.

"We haven't seen it distributed on the hacker underground," he said, "so for the moment it's a lower-level threat, but if it is, it could be used by the bad guys, and would then dramatically increase the threat level" to users.

What's caught the eye of security analysts such as Weafer and Dunham is the speed with which this exploit was produced. The span between the disclosure of the vulnerability by Microsoft and proof of exploit code was just three days.

One of the hallmarks of August's MSBlaster was also the speed with which attackers generated exploit code, then produced a workable worm.

"That's a trend we're seeing overall," said Weafer. Recently, Symantec reported the disturbing trend of an increasingly narrowing window between vulnerability and exploit.

Among the steps that organizations and individuals can take, said Weafer and Dunham, are applying the patch, blocking the exploit's target ports at the firewall, re-configuring Windows Messenger Service to work only internally behind the firewall, or disabling the service entirely.

Users can disable Windows Messenger Service by following the instructions in Microsoft's security bulletin, or with tools such as the free Shoot The Messenger utility, which can be downloaded from the Gibson Research Corporation Web site.

"Once again we have a widely-used service active on lots of computers that could be exploited by an attacker," said Dunham. "People should patch their systems immediately."

This story courtesy of TechWeb.</