Messenger Service Exploits Worse Than Anticipated

While the Slammer worm had to hit individual systems, the Messenger Service exploit enables hackers to send a single packet to attack every system on a network. The Messenger Service, part of Windows, lets users send a pop-up message to a computer on the same network.

"Our team has found many other methods that people can use to exploit the vulnerability that make it much more severe than how it was originally classified," said Oliver Friedrichs, senior manager of Symantec's security response team. "Every vulnerable system on a network could potentially become attacked or infected if this were developed and deployed as a worm."

The Messenger Service exploit could be used to attack database servers, which happened with Slammer, as well as Windows 2000, XP, NT and Windows Server 2003.

To exploit the vulnerability, a hacker would need to connect to a vulnerable system over the network. The Messenger Service runs on specific TCP and UDP ports that can be used to exploit the vulnerability, including TCP ports 135, 139, 445 and 593; UDP ports 135, 137 and 138; and UDP ports ranging from 1,025 to 1,035.

"This exploit is not trivial and is something that really calls for a programmatic approach to security," said Richard Warren, president of solution provider Shenandoah Technologies, Winchester, Va. "Solution providers and corporate users can no longer afford to take an ad hoc approach to security."

Symantec, Cupertino, Calif., recommends four ways to protect against the vulnerability. A patch can be downloaded from Microsoft, which reported the original vulnerability. Companies also can block the affected ports; install personal firewall software that comes with Windows XP and configure it to block and protect systems from the Internet; or disable the Messenger Service, Friedrichs said.