Alert: Windows Messenger Service Vulnerability

Buffer overflow attack could give the attacker administrative privileges

Microsoft disclosed a new vulnerability in its Windows Messenger Service, which is susceptible to a buffer overflow attack that could give the attacker administrative privileges.

Internet Security Systems (ISS) says it thinks the vulnerability to be “extremely widespread in nature.” In addition, it warns that similar vulnerabilities have resulted in such well-known Internet worms as "MS Blast/Blaster," "Nachi," and "SQL Slammer." “History has shown that vulnerabilities of this magnitude lead almost immediately to exploit tool development by the underground community and extensive and widespread attacks. The vulnerability can be triggered via UDP, leaving open the possibility of extremely rapid worm propagation.”

Affected operating systems include Microsoft Windows NT 4.0 (including Terminal Server Edition), Windows 2000, Windows XP, and Windows 2003.

The affected service, Microsoft Messenger Service, is used to send messages to end users, such as when a print job is completed or before a network-wide, scheduled outage. ISS notes that “the Microsoft Messenger Service is unrelated to Microsoft MSN Messenger,” a popular instant messaging program.

Microsoft's Fix

Other ways of protecting against the vulnerability include disabling the service altogether. ISS notes that “this service is generally not critical to network operation and can likely be disabled without consequences.”

ISS notes that the service “is bound to a dynamic high-numbered port.” While “in the past, most threats could be mitigated by blocking a single port at the firewall … in this case, Windows systems will bind the service to a dynamic port starting above 1024.” Administrators typically can outright block all ports at that level and above at the firewall level.

ISS also recommends blocking all typical Microsoft operating system networking ports, whether on corporate or personal firewalls:

  • 135/tcp   MS-RPC connection-oriented
  • 135/udp   MS-RPC datagrams
  • 137/udp   NetBIOS name resolution
  • 138/udp   NetBIOS/SMB datagrams
  • 139/tcp   NetBIOS/SMB connection-oriented
  • 445/tcp   SMB connection-oriented
  • 445/udp   SMB datagrams

Link to Microsoft Security Bulletin MS03-043:http://www.microsoft.com/technet/security/bulletin/MS03-043.asp

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.