Security Basics mailing list archives
RE: Windows Messenger Pop-up spam
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 3 Dec 2004 05:29:16 -0800
Messenger is a tiny tiny TINY component of Windows File Sharing / NetBIOS. IF an attacker can get a Messenger window to pop up on your screen, then you have a HUGE area of vulnerable services exposed to the internet. Services which you may very often REQUIRE to use LAN resources, but never need to use either TO or FROM the Internet. Turning off those services entirely is rarely an option. Turning off only the Messenger component still leaves you exposed. Blocking those ports at the perimeter allows you to still use the services you need to connect to local resources -- that might include local use of the Messenger service, by the way! -- but protects you from Internet abusers of that whole family of services. Including, but not just limited to, the Messenger service. I agree that most home users don't need the Messenger service, and can free up some resources by turning it off. But anyone who is adequately protected from the much larger range of threats won't see it abused, and anyone who sees it abused needs to understand that that means they're vulnerable to that much larger range, most of which they will STILL be vulnerable to if they turn off the Messenger service. "Turn off services you don't need" is usually a good rule. But in this particular case, the REAL "service" is the whole NetBIOS/CIFS family, not just the Messenger component, and turning it off at that level tends to break all sorts of things. So you have to fall back on the alternative: "Harden/protect the services you DO need". David Gillett
-----Original Message----- From: 'Ansgar -59cobalt- Wiechers' [mailto:bugtraq () planetcobalt net] Sent: Thursday, December 02, 2004 9:08 AM To: security-basics () securityfocus com Subject: Re: Windows Messenger Pop-up spam David, On 2004-12-01 David Gillett wrote:From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]On 2004-11-30 Beauford, Jason wrote:Block those Ports!Why? Simply disable the stupid messenger service (because obviously it's not needed anyway). There's no need to block any portbecause ofmessenger spam.That would be true, if all that ever used those ports was Messenger. But it's NOT! The same ports are used for a bunch of stuff that you *really* do not want to be exchanging with the wild wild net. Block those ports, and no longer seeing Messenger spam is the *smallest* (if most visible) way in which your system will become safer.I thought at least you would get my point. However, maybe I have to be more verbose. We were talking about messenger spam only, and therefore it's pretty much sufficient to disable the messenger service. No other action needed, especially not blocking any ports. Period. But let's assume we're talking not only about messenger spam but malware in general. Why would I rather block specific ports instead of disabling unneeded services? In the latter case I won't *have* anything that needs to be protected at all¹. Plus Personal Firewalls proved theirselves to be much less reliable than one would like to think. Do I have to remind you of the Witty worm? Sure, you can argue that maybe the host acts as a router for some local network (ICS or something). However, I would still have to ask: why does he need to provide any services at all? A router is not supposed to provide services. Period. If one needs Internet connectivity for a local network and needs all computers as workstations, then bite the damn bullet and buy a router. They're not *that* expensive. And of course one would block *everything* except for the desired traffic on the network *perimeter*, not only deny the undesired traffic on the host itself. If there's no LAN but just a single host with Internet connection, then why does the box need to provide any services at all? IMnsHO. Regards Ansgar Wiechers ¹ BTDT² ² http://www.ntsvcfg.de/ -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 01)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 02)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 02)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 03)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 03)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 07)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 08)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 09)
- Re: Windows Messenger Pop-up spam Michael Painter (Dec 10)
- Message not available
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 13)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 02)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 02)
- <Possible follow-ups>
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 01)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)