In keeping with its company-wide Trustworthy Computing pledge to stave off
security problems by minimizing vulnerabilities, Microsoft
said this week that it plans to switch off its Windows
Messenger service and activate Internet Connection Firewall (ICF) by default
on XP boxes.
Windows Messenger — not to be confused with the Redmond, Wash. software
vendor’s MSN Messenger instant messaging service — is used to exchange data
between computers. It launches automatically when a user boots up his or her
But the software has posed serious security risks. A program, which some
consultants dubbed the “son of MSBlaster,” was recently circulating that takes
advantage of a flaw in Microsoft’s Messenger Service that causes
Windows-based computers to crash. So concerned are some companies in the
industry that America Online disabled Windows Messenger on the Windows
desktops of 20 million of its users as a precaution last week.
That’s why company executives announced the disarmament at the Microsoft
Professional Developer’s Conference Tuesday. Specifically, Microsoft has
opted to turn off the rarely-used Messenger services with Windows XP Service
Pack 2, which is due in the first half of 2004. ICF, a firewall built into
XP that is normally turned off by default, will be turned on going forward,
the company said. Security experts said ICF could have blocked MSBlaster if
it had been turned on.
Turning on IFC demonstrates a proactive approach to securing the desktop,
said Gartner security analyst John Pescatore.
“Microsoft is definitely doing the right thing, and should do much, much
more of it,” Pescatore told internetnews.com. “One of the fundamental
principles of security is ‘Deny everything except that which is *expressly*
permitted’. That translates to having all dangerous services (like
Messenger) off by default and requiring the user to take explicit actions to
choose to enable those dangerous services.”
Pescatore said Microsoft did a good job of adhering to this in Windows
Server 2003, which he said is relatively secure out of the box. Microsoft,
he noted, is trying to break a life-time habit.
“But in desktop products they have had a corporate blind spot in the past —
Microsoft became the world’s biggest software company by putting all the
control in the hands
of the PC user. They didn’t consider safety a key requirement — making
Messenger and other things (like telnet or FTP services and the like) off by
default is another important step.”
Messenger, a standard part of Windows operating systems since the mid-1990s,
has also been the target of several flaws that yield massive amounts of
pop-up advertisements, with users employing text commands to create pop-up windows for spam. It was also the
subject of a
recent security patch for a buffer overrun flaw that could throw a machine
at the mercy of a malicious user.
The WM disablement comes in the midst of proclamations from company executives that Microsoft was looking at ways to fortify
the security of Windows in the face of computer viruses, worms and crackers.
Microsoft also plans to apply more restrictive default configurations on its
Internet Explorer Web browser Local Machine and Local Intranet security
Microsoft will also roll out a new application programming interface (API)
for remote procedure calls (RPCs)
local machine. The API will give developers more tools to control the
flow of data to and from Windows applications.