New Security Gap Found In Windows Messenger Service

Symantec on Tuesday uncovered a new avenue that hackers could use to exploit a buffer overflow vulnerability in Microsoft Windows Messenger Service, one that, if packaged within a self-propagating worm, could spread across a network like wildfire.

According to analysis done by Symantec's DeepSight Threat Analyst Team, the Windows Messenger Service vulnerability can be exploited by a single UDP broadcast, allowing a wholesale compromise of all vulnerable systems on the targeted network.

"This newfound exploitation path dramatically increases the speed at which a worm could propagate within a local network, making widespread infection theoretically almost instantaneous," the threat team wrote.

Alfred Huger, the senior director of engineering at Symantec's security response team, put it into perspective.

"SQLSlammer moved fast," he said, talking about the quick-spreading worm of January, 2003 that infected thousands of machines globally in a matter of hours. "But we actually think that if this exploit is packaged into a worm, it could spread faster, quite a bit faster, than Slammer. Slammer had to infect each machine individually, but all it takes is one packet [of malicious code] to infect an entire network using this exploit. It's like the difference between talking one-on-one, and screaming out to a room full of people."If I can exploit one single box on your network, I can exploit all of them," Huger added.

The exploit, which Symantec's security team has confirmed by modifying an existing proof of concept exploit, takes advantage of UDP (User Datagram Protocol), a sub-protocol within the TCP standard. UDP, often used for real-time audio and video traffic, doesn't require the three-stage handshake authentication of TCP, and broadcasts data to all systems on a network's sub-net at the same time.

"An application doesn't care about UDP," said Huger. "It takes the packet, period, with no authentication."

A worm just 2.7K in size would be enough to simultaneously infect up to 254 machines. Although that's larger than the minute 376 bytes used by SQLSlammer, "the difference is really trivial," Huger said.

Not only might such a worm spread faster than Slammer, its damage could significantly outweigh Slammer's damage, for it would have a much greater number of potential targets. The Windows Messenger Service vulnerability exists not just in enterprise machines -- as with Slammer -- but also countless home computers running Windows.Symantec's test exploit only crashed the targeted systems -- one possible result of a worm -- but hackers could modify existing exploits to cause any number of problems, including inserting other malicious code that might give them access to the systems. "The sky's the limit," said Huger.

Not to be confused with Windows Messenger, Microsoft's instant messaging platform, Windows Messenger Service is used by applications to communicate with each other, and often by enterprise network administrators to alert users of such things as impending server shutdowns. It has also been used by some spammers to pop text-message spam onto users' desktops.

Symantec recommended that users -- both corporate and consumers -- immediately apply the Microsoft patch if they haven't done so. Other ways to defend against the threat are to disable the Windows Messenger Service, or to block TCP ports 137-139, UDP port 135, and UDP ports 1025 and higher.

Users can disable Windows Messenger Service by following the instructions in Microsoft's security bulletin.

"If this type of exploit pops up, it would present a more severe threat than even Slammer," concluded Huger. "And it's likely that this isn't the only new vulnerability we'll see in Windows Messenger Service. We'll see more of these in the future."