Security experts and network administrators are once again on worm watch because of the existence of exploit code for a software vulnerability in a widely used Windows service.
The critical weakness lies in the Windows Messenger Service, a feature used primarily in business by systems administrators who use the service to send alerts to users on a network, by spammers to make text messages pop up on user screens, and by employees to communicate between applications. The Windows Messenger Service is different from Microsoft’s Windows Messenger, the company’s instant-messaging service.
Ken Dunham, iDefense malicious code intelligence manager, told TechNewsWorld that attackers have been using the service for months, but the existence of exploit code that would be relatively easy to convert to a worm on the scale of the devastating Blaster threat has increased concern over the vulnerability.
“It has been done,” Dunham said. “The question is how long until we see this code out in the wild.”
Speeding Exploits
Similar to the way the exploit code and the Blaster worm quickly followed the vulnerability disclosure — at that time in another Windows service called the Remote Procedure Call interface — the attack code for the Windows Messenger Service began surfacing only a week after Microsoft released an advisory and patch for the problem on October 15th.
Dunham, who said the exploit code first appeared within three days of the vulnerability disclosure, said his team has seen examples of programs capable of executing arbitrary code, a key component of creating a Trojan or worm. In addition, the code has been converted to work on Windows XP and Linux systems, he said.
“It’s a cause for concern,” he said. “It would take a half day or maybe more for a hacker to take what’s out there and manipulate it to execute arbitrary code.”
Vital Service
Forrester analyst Jan Sundgren told TechNewsWorld that administrators can simply turn off the Windows Messenger Service temporarily to buy time or put off patching, but he added that companies cannot turn off something that is critical to business.
Dunham said many corporations rely on the Windows Messenger Service and are unlikely to turn it off because they have little or no alternative for some IT communication needs.
The Windows Messenger Service patch came as part of Microsoft’s first monthly update aimed to ease patch management, but Dunham said the updating process could overwhelm IT staffs that now must test multiple patches on their systems as Microsoft rolls them out.
“It’s an overload situation that’s going to be difficult to manage,” he noted.
Worm Busts Help
While the new vulnerability is considered critical — particularly because it is such a widely used service — there are some mitigating factors this time compared with the days leading up to the Blaster worm, according to Dunham.
Dunham said fewer college-age hackers are as active now that school is in regular session. In addition, he said that high-profile busts, such as those of Blaster variant suspects in the United States and in Romania, have deterred virus-writing activities.
“That has definitely impacted the development of worms code,” Dunham said.
Still, the security analyst said the creators of Trojans — programs quietly placed on computers to cede control to attackers — are undeterred by the law and are still “acting brazenly.”
Auto Shut-Off
About the same time Microsoft warned of the security hole in Windows Messenger Service, AOL began turning off the service for its millions of Internet service subscribers, citing user experience and security as reasons for its action.
Dunham said the move might have been a good one in terms of securing users, but he disagreed with the way AOL communicated and implemented the shut-off.
“It should be a user-driven system; after all, they’re the ones paying for the service,” he said. “When you take control out of the hands of consumers, you are stealing from them the opportunity to choose options.”