lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <004c01c39406$de3b2ac0$2b00a8c0@troyohus.priv.oxfordsys.com>
Date: Thu, 16 Oct 2003 12:59:29 -0400
From: "T.A. Adjuster" <adjuster@...ved.org>
To: "Richard M. Smith" <rms@...puterbytesman.com>,
	"'Giovanni Campagnoli'" <bioia@...oo.com>,
	<bugtraq@...urityfocus.com>
Subject: Re: Microsoft got it wrong


The article (http://support.microsoft.com/?kbid=828035) referred to in Mr.
Campagnoli's original posting refers not to the "Windows Messenger", but to
the "Messenger" service, traditionally used to display messages of the "NET
SEND" or "WinPopup" variety.

The "Messenger" service runs, at least in Windows 2000, as "Local System",
and is set to "Automatic" startup in all versions of Windows NT back to, I
believe, 3.51.

In the context of a buffer-overflow in the "Messenger" service being
undiscovered, the USA Today article echoes the sentiment that I would
express: "Messenger" service pop-ups are a nusiance and nothing more.

In the context of the buffer-overflow as described in the Microsoft article
above, and assuming that the overflow is exploitable, I would consider this
a critical security concern.

Assuming that, at the time of the USA Today article's writing, the overflow
was undiscovered, I would argue that Microsoft did not "get it wrong".

As a matter of course, I have been disabling the "Messenger" service in new
installations for the past several years and would recommend that everyone
do so (using Active Directory Group Policies to disable services is a
beautiful thing). The frustrating part of this, however, is the usage of
this mechanism by some software to "broadcast" messages to clients (UPS
management software comes to mind first). Perhaps this represents an
opportunity for someone to implement a better "Messenger listener" that
could gateway these messages to other protocols or logs.

---

As an aside, this also highlights a frustration that I've had with Microsoft
on several occasions-- naming products or components of products similar
names. I've seen confusion between the "Messenger" service and "Windows
Messenger", the "Computer Browser" service and web browsers, and long ago
confusion between the "Microsoft Exchange" MAPI client software and
"Microsoft Exchange Server".

T.A. Adjuster

----- Original Message -----
From: "Richard M. Smith" <rms@...puterbytesman.com>
To: "'Giovanni Campagnoli'" <bioia@...oo.com>; <bugtraq@...urityfocus.com>
Sent: Wednesday, October 15, 2003 4:51 PM
Subject: Microsoft got it wrong


Only last month in USA Today, Microsoft was claiming that Windows Messenger
didn't represent a security hazard:

   Pop-ups assail through Windows
   http://www.usatoday.com/tech/news/2003-09-24-popups_x.htm

   Microsoft views pop-up boxes as a benign nuisance
   that does "not pose a security risk," says Greg Sullivan,
   product manager for Windows.

Looks like Microsoft crystal ball is pretty fuzzy.  Windows Messsenger is
just the sort of seldom-used feature that should be turned off by default in
Windows XP.

Richard M. Smith
http://www.ComputerBytesMan.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ