Now Disabled on Your PC: Windows Messenger
The software giant takes proactive steps to staving off security headaches for users of Windows-based PCs by unilaterally disabling the Windows Messenger service and activating an XP-based firewall in its place.
said this week that it plans to switch off its Windows Messenger service and activate Internet Connection Firewall (ICF) by default on XP boxes.
Windows Messenger -- not to be confused with the Redmond, Wash. software vendor's MSN Messenger instant messaging service -- is used to exchange data between computers. It launches automatically when a user boots up his or her personal computer.
But the software has posed serious security risks. A program, which some consultants dubbed the "son of MSBlaster," was recently circulating that takes advantage of a flaw in Microsoft's Messenger Service that causes Windows-based computers to crash. So concerned are some companies in the industry that America Online disabled Windows Messenger on the Windows desktops of 20 million of its users as a precaution last week.
That's why company executives announced the disarmament at the Microsoft Professional Developer's Conference Tuesday. Specifically, Microsoft has opted to turn off the rarely-used Messenger services with Windows XP Service Pack 2, which is due in the first half of 2004. ICF, a firewall built into XP that is normally turned off by default, will be turned on going forward, the company said. Security experts said ICF could have blocked MSBlaster if it had been turned on.
Turning on IFC demonstrates a proactive approach to securing the desktop, said Gartner security analyst John Pescatore.
"Microsoft is definitely doing the right thing, and should do much, much more of it," Pescatore told internetnews.com. "One of the fundamental principles of security is 'Deny everything except that which is *expressly* permitted'. That translates to having all dangerous services (like Messenger) off by default and requiring the user to take explicit actions to choose to enable those dangerous services."
Pescatore said Microsoft did a good job of adhering to this in Windows Server 2003, which he said is relatively secure out of the box. Microsoft, he noted, is trying to break a life-time habit.
"But in desktop products they have had a corporate blind spot in the past -- Microsoft became the world's biggest software company by putting all the control in the hands of the PC user. They didn't consider safety a key requirement -- making Messenger and other things (like telnet or FTP services and the like) off by default is another important step."
Messenger, a standard part of Windows operating systems since the mid-1990s, has also been the target of several flaws that yield massive amounts of pop-up advertisements, with users employing text commands to create pop-up windows for spam. It was also the subject of a recent security patch for a buffer overrun flaw that could throw a machine at the mercy of a malicious user.
The WM disablement comes in the midst of proclamations from company executives that Microsoft was looking at ways to fortify the security of Windows in the face of computer viruses, worms and crackers. Microsoft also plans to apply more restrictive default configurations on its Internet Explorer Web browser Local Machine and Local Intranet security zones.
Microsoft will also roll out a new application programming interface (API)
for remote procedure calls (RPCs) that limits access to resources on the local machine. The API will give developers more tools to control the flow of data to and from Windows applications.