mailing list archives
RE: Windows Messenger Pop-up spam
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 3 Dec 2004 05:29:16 -0800
Messenger is a tiny tiny TINY component of Windows File Sharing /
NetBIOS. IF an attacker can get a Messenger window to pop up on your
screen, then you have a HUGE area of vulnerable services exposed to
the internet. Services which you may very often REQUIRE to use LAN
resources, but never need to use either TO or FROM the Internet.
Turning off those services entirely is rarely an option. Turning off
only the Messenger component still leaves you exposed.
Blocking those ports at the perimeter allows you to still use the services
you need to connect to local resources -- that might include local use of
the Messenger service, by the way! -- but protects you from Internet abusers
of that whole family of services. Including, but not just limited to, the
I agree that most home users don't need the Messenger service, and can
free up some resources by turning it off. But anyone who is adequately
protected from the much larger range of threats won't see it abused, and
anyone who sees it abused needs to understand that that means they're
vulnerable to that much larger range, most of which they will STILL be
vulnerable to if they turn off the Messenger service.
"Turn off services you don't need" is usually a good rule. But in this
particular case, the REAL "service" is the whole NetBIOS/CIFS family, not
just the Messenger component, and turning it off at that level tends to
break all sorts of things. So you have to fall back on the alternative:
"Harden/protect the services you DO need".
From: 'Ansgar -59cobalt- Wiechers' [mailto:bugtraq () planetcobalt net]
Sent: Thursday, December 02, 2004 9:08 AM
To: security-basics () securityfocus com
Subject: Re: Windows Messenger Pop-up spam
On 2004-12-01 David Gillett wrote:
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
On 2004-11-30 Beauford, Jason wrote:
Block those Ports!
Why? Simply disable the stupid messenger service (because obviously
it's not needed anyway). There's no need to block any port
That would be true, if all that ever used those ports was Messenger.
But it's NOT! The same ports are used for a bunch of stuff that you
*really* do not want to be exchanging with the wild wild net.
Block those ports, and no longer seeing Messenger spam is the
*smallest* (if most visible) way in which your system will become
I thought at least you would get my point. However, maybe I have to be
We were talking about messenger spam only, and therefore it's pretty
much sufficient to disable the messenger service. No other action
needed, especially not blocking any ports. Period.
But let's assume we're talking not only about messenger spam
in general. Why would I rather block specific ports instead
unneeded services? In the latter case I won't *have* anything
to be protected at all¹. Plus Personal Firewalls proved theirselves to
be much less reliable than one would like to think. Do I have
you of the Witty worm?
Sure, you can argue that maybe the host acts as a router for
network (ICS or something). However, I would still have to
ask: why does
he need to provide any services at all? A router is not supposed to
provide services. Period. If one needs Internet connectivity
for a local
network and needs all computers as workstations, then bite the damn
bullet and buy a router. They're not *that* expensive. And of
would block *everything* except for the desired traffic on the network
*perimeter*, not only deny the undesired traffic on the host
there's no LAN but just a single host with Internet
connection, then why
does the box need to provide any services at all? IMnsHO.
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."