Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Major Vulnerability Found In Windows Messenger

Dec 10, 2003 1:49AM PST

Symantec on Tuesday uncovered a new avenue that hackers could use to exploit a buffer overflow vulnerability in Microsoft Windows Messenger Service, one that, if packaged within a self-propagating worm, could spread across a network like wildfire.

According to analysis done by Symantec's DeepSight Threat Analyst Team, the Windows Messenger Service vulnerability can be exploited by a single UDP broadcast, allowing a wholesale compromise of all vulnerable systems on the targeted network.

"This newfound exploitation path dramatically increases the speed at which a worm could propagate within a local network, making widespread infection theoretically almost instantaneous," the threat team wrote.

Security Pipeline

Discussion is locked

- Collapse -
Re:Major Vulnerability Found In Windows Messenger... Again?
Dec 10, 2003 2:23AM PST

Wasn't this service updated just a few months ago?

Or is this the same exploit?

Bob

- Collapse -
Re:Re:Major Vulnerability Found In Windows Messenger... Again?
Dec 10, 2003 3:03AM PST
- Collapse -
(NT) Again? Still don't believe it. (but I do....)
Dec 10, 2003 3:26AM PST

.

- Collapse -
Re:(NT) Again? Still don't believe it. (but I do....)
Dec 10, 2003 3:33AM PST

"What we found is that there are some new attack vectors to exploit the same vulnerability that were not originally considered," says Core ST's CTO Ivan Arce. The new method of exploiting the known flaw "is a very efficient way of compromising the system."

New Ways To Exploit Windows Flaws Give Hackers Ammo

http://www.newsfactor.com/perl/story/22831.html

- Collapse -
I had already implemented options 1, 2 and 3... :-)
Dec 10, 2003 1:52PM PST

Symantec recommended that users -- both corporate and consumers -- (1) immediately apply the Microsoft patch if they haven't done so. Other ways to defend against the threat are (2) to disable the Windows Messenger Service, or (3) to block TCP ports 137-139, UDP port 135, and UDP ports 1025 and higher.

TCP ports 137-139 and UDP port 135 (among others) are blocked. All incoming ports are blocked (default rule at end of ruleset). I used to have a default rule for outgoing ports too (at end of ruleset) but then Kerio wouldn't give me a popup asking me if I wanted to create a new rule for new outgoing apps. Its a small compromise for convenience. I suppose I could disable the rule only after new programs are installed and have it enabled most of the time...