Security Basics mailing list archives
Re: Windows Messenger Pop-up spam
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 7 Dec 2004 22:02:06 +0100
On 2004-12-06 Steven Trewick wrote:
On 2004-12-03 H Carvey wrote:Which will merely have lulled them into a false sense of security, since the traffic is still making it to their IP stack. For windows boxen, this is almost as good as "game over"You may want to give at least one reason for this opinion.I, too, would like to see something to support this statement. "Game over", how? Sure, the traffic still makes it to the IP stack, I agree...but how does this result in "game over" with respect to Messenger spam? Turn the Messenger service off and there's nothing there to handle the input...end of story. *That's* "game over".Harlan, as you well know, there are *many* other things listening to/on the subset of ports used by messenger spam, turning off the messenger service in no way blinds/deafens the *rest* of the RPC subsystem, where $DEITY knows how many vulns have been (and remain to be) discovered.
True. However, that has nothing to do with either messenger spam or "packets making it to the IP stack" but with other services still listening on that specific port. Remove each service you don't need and you won't have a problem with "packets making it to the IP stack".
Simply turning off the service in no way increases the security of the machine, because those ports and the multiplicity of services that use them will still be exposed, quite obviously.
I have to disagree partially. Disabling a single services does not increase security, but disabling *all* unneeded services sure does.
Anyone sufficently addled as to run a machine exposed in this way is also extremely unlikely to be patched up the eyeballs, thus we have exposed *and* vulnerable services. Thus it will be game over when the first worm reaches the machine.
Of course. But that's PEBKAC, not a problem with the IP stack.
As a rough guide, the last time I saw someone connect a box so configured to the internet, it took less than five minutes to succumb to some variety of lsass exploit, which will have arrived via those exact same ports (135/9, 445, et al)
True. Thats why www.ntsvcfg.de exists. Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- Re: Windows Messenger Pop-up spam, (continued)
- Re: Windows Messenger Pop-up spam Michael Painter (Dec 10)
- Message not available
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 13)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 01)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam H Carvey (Dec 03)
- Re: Windows Messenger Pop-up spam H Carvey (Dec 03)
- RE: Windows Messenger Pop-up spam Steven Trewick (Dec 07)
- RE: Windows Messenger Pop-up spam Harlan Carvey (Dec 07)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 08)