Unsubscribe said:
Bruce,
Could you please qualify those 2 statements for me?
For as long as I can remember, Windows Messenger has always been a key
vulnerability in Windows.
Agreed. I view any instant messaging application as a potential
security hole, as well as an unnecessary drain on system resources and
the computer user's time. However, this has nothing to do with the
topic under discussion.
I have never understood Microsoft's persistence in continuing to incorporate
such an old, insecure and unnecessary service. I always disable it, and
have never experienced any problems resulting from this practice.
The messenger service is designed for, and still used in, the corporate
enterprise environment, primarily to enable servers and critical
workstations to alert system administrators about problems. Many
enterprise-level antivirus and backup applications, as two obvious
examples, make use of the messenger server and its associated Alerter
service.
If
anything, NOT disabling Windows Messenger is often the reason some units get
hijacked.
Windows Messenger is also redundant for many users, as they tend to have
other IM apps anyway (MSN Messenger, ICQ, etc.). In addition to this,
recent versions of Outlook Express have attempted to make it "mandatory"
that Messenger runs with it, even when that service is disabled. (I
manually removed this headache from my OE. OE stills works perfectly and,
again, I have not regretted my action.)
You're confusing the messenger service with the Windows Messenger
instant messaging application. They're two completely different things,
despite Microsoft's propensity for using similar names for different
products.
I find your reference to acquiring the Blaster worm (as a result of
disabling Windows Messenger) particularly curious.
My point was that doing nothing more than disabling the messenger
service to stop the pop-ups does nothing to protect the computer from
worms such as Blaster, Welchia, and Sasser.
The problem is that turning off the Messenger Service does *not*
block the wide open TCP and UDP ports that the spammers used to
deliver the spam to the Messenger Service for display. With the
Messenger Service disabled, those spam deliveries are still
continuing, but they're simply not being displayed. It's like pulling
the battery out of a noisy smoke detector to silence it, rather than
looking for and eliminating the source of the smoke that set it off.
The danger of this "treat the symptoms" approach has been more
than aptly demonstrated by the advent of the W32.Blaster.Worm, the
W32.Welchia.Worm, the W32.Sasser. Worm, and their variants. These
worms attack PCs via some of the very same open ports that the
Messenger Service uses. Need I mention how many hundreds of thousands
of PCs have been infected by these worms since August of 2003? To date,
according to my records, I have personally responded to over 1000
Usenet posts concerning Blaster/Welchia/Sasser infections since last
then, and I can't possibly have seen and replied to every one that
there's been posted in this period.
Now, how many of those infected with Blaster/Welchia had turned
off the Messenger Service to hide spam? I can't say, and I don't
think anyone can. What I can say with absolutely certainty is that if
they'd all had a properly configured firewall in place, they would
have blocked the annoying spam _and_ been safe from a great many other
dangers, particularly Blaster/Welchia/Sasser.
Of course, like the Messenger Service Buffer Overrun threat, there
is also a patch available to fix a PC's vulnerability to
Blaster/Welchia, which was available to the general public a full
month before the first instances of Blaster/Welchia "in the wild." If
people learned to stay aware of computer security issues and updated
their systems as needed, a whole lot of grief could have been avoided.
The problem with relying upon patches, however, is that they're
sometimes not available until _after_ the exploit has become
wide-spread. Antivirus software suffers from this same weakness; it's
simply not always possible to provide protection from threats that
have not yet been developed and/or discovered. Both approaches, while
important, are re-active in nature.
There are several essential components to computer security: a
knowledgeable and pro-active user, a properly configured firewall,
reliable and up-to-date antivirus software, and the prompt repair (via
patches, hotfixes, or service packs) of any known vulnerabilities.
The weak link in this "equation" is, of course, the computer user.
All too many people have bought into the various PC/software
manufacturers marketing claims of easy computing. They believe that
their computer should be no harder to use than a toaster oven; they
have neither the inclination or desire to learn how to safely use
their computer. All to few people keep their antivirus software
current, install patches in a timely manner, or stop to really think
about that cutesy link they're about to click. Therefore, I (and
anyone who's thought about the matter) always recommend the use of a
firewall. Naturally, properly configuring a firewall requires an
investment of time and effort that most people won't give, but even
the default settings of the firewall will offer more automatic
protection than is currently present.
Now, as for the Messenger Service itself, it generally doesn't
hurt any thing to turn it off, although I never recommend doing so.
Granted, the service is of little or no use to most home PC users
(Although I've had uses it on my home LAN.), and turning off
unnecessary services is part of any standard computer security
protocol. However, I feel that the potential benefits of leaving the
Messenger Service enabled out-weigh any as-yet-theoretical risks that
it presents. It will indirectly let the computer user know that
his/her firewall has failed by displaying the Messenger Service spam.
Think of it as the canary that miners used to take down into the
mine shafts with them. There are others, of course, who disagree with
me on this point and advise turning off the service because it isn't
needed; you'll have to make up your own mind here.
--
Bruce Chambers
Help us help you:
You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
