Microsoft plans to make security changes to Windows Messenger

Windows Messenger could be blocked by default or disabled in the next Windows XP Service Pack. Microsoft has updated patches for some critical flaws. There are also new flaws in Apache and Java. This edition of The Locksmith provides all the details.

Microsoft Chairman Bill Gates has announced that the company will improve security by turning on the firewall in Windows XP by default and making changes to or even disabling Windows Messenger.

The updated security changes will begin with the release of Windows XP Service Pack 2, which will reportedly disable Windows Messenger and will also include changes to the API for remote procedure calls that will limit access to the local system. This change will make it easier for developers to apply better security to the data that move to and from applications.

Windows Messenger is such a security threat and a popular new target for spammers that AOL recently took the major step of disabling Windows Messenger on subscribers' machines. Unfortunately for some, the AOL software doesn't ask permission to alter the machines or get subscribers’ consent, according to this report in PC World. But that’s another story.

Microsoft updates security bulletins
In addition, Microsoft has released some major updates to the recent slew of seven bulletins that were all announced on a single day. This follows an earlier upgrade to the MS03-041 bulletin, which doesn’t appear to be very important.

MS03-042 and MS03-043 have been updated twice each, once to fix the original patch. The new patch versions are intended to fix the debug programs issues reported in Knowledge Base Article 830846. MS03-045 has already been revised three times, once to fix the patch. The bugs in the original patches did not compromise the security of the patch but did create some problems with the software.

Final word
AOL’s unilateral and unannounced move to disable a major Windows service has raised a lot of questions but shouldn’t be a major concern to most administrators because AOL isn’t found in a corporate environment very often. (However, I do know of some remote users who access corporate systems via an AOL subscription.)

Microsoft’s move to quickly release batches of security bulletins (so that administrators can rapidly respond to threats) backfired this time. It’s hardly an advantage to get a number of critical bulletins all at once if there are going to be major updates to a number of them over the next few weeks to fix bugs in the patches. This is especially troublesome since two (042 and 043) were both rated critical and therefore were given priority by many administrators.

Microsoft has also announced plans to eventually recompile Windows using software that is designed to root out buffer overrun and other common vulnerabilities. That note should be filed in the "You just now thought of this?" category.

Also watch out for…
  • A number of vulnerabilities in Apache (Linux, UNIX, and Windows versions) have been reported. CAN-2003-0542 references a buffer overflow vulnerability in mod_alias and another in mod_rewrite found in 2.0.47 and earlier versions. These are serious and can lead to denial of service attacks or allow arbitrary remote code execution. CAN-2003-0789 has been assigned to a mod_cgrid vulnerability that can mishandle CGI paths, causing information to be returned to the wrong user. This is also found in versions 2.0.47 and earlier. There are fixes available for all three vulnerabilities via Apache release 2.0.48.

  • A flaw in Sun’s JVM Class Loader can allow malicious applets to bypass some security measures andexecute on vulnerable systems. The flaw is found in the SDK and Runtime Environment for releases before1.1.4-03, 1.3.1-08, and 1.2.2-015. This affects a vast number of older systems from Windows to Linux, including Mozilla browsers. There is no workaround, and Sun recommends upgrading.

  • There is a patch available for IBM DB2 Universal Database v7.2 (Windows). Versions for other operating systems aren’t vulnerable to the stack overflow that can let an attacker run arbitrary code on some systems. IBM says the vulnerability was also fixed in DB2 version 8.

  • An Australian spammer was publicly identified recently, and his family received death threats serious enough that he quit the business. Europe is in the forefront of spam legislation, with both England and Italy making spam an extraditable criminal offense. If you spam an e-mail server in England, you could end up in handcuffs on an airplane headed for Heathrow and a quick look inside the British justice system. If this trend continues, we might actually see a significant reduction in the amount of spam clogging our systems, which, by the way, should also make it easier to deal with the malicious e-mails that carry viruses or worms.

  • The U.S. Senate has moved to block spam in America, but the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act doesn’t have nearly the teeth of the new British laws. It does call for fines up to $100 for each misleading header, but the main feature is merely a requirement that spammers maintain legitimate opt-out mechanisms. Of course, a real antispam bill would require that people opt-in. At least the preliminary version of the bill did not include the proposed "Do not spam registry" demanded by some legislators. Personally, I wouldn’t register my addresses with any such registry because I suspect it would become a serious target of hackers, since any such list would actually be a goldmine for spammers.


Editor's Picks

Free Newsletters, In your Inbox