Microsoft Details Security Changes
Microsoft will detail plans to disable the Windows Messenger Service and activate the Internet Connection Firewall by default on Windows XP machines in an effort to protect computers from malicious attacks, a company executive said Tuesday.
The changes will be described at an informal lunchtime presentation during Microsoft's Professional Developers Conference in Los Angeles by Jason Garms, an architect in Microsoft's Security Business Unit, and are targeted for release in Windows XP Service Pack 2, according to Amy Carroll, director of product management in SBU.
The announcement follows weeks of statements from Microsoft Chief Executive Officer Steve Ballmer and other company executives that the company was looking at ways to increase the ability of Windows to "shield" itself against threats from computer viruses, worms, and hackers, rather than relying on other companies' products to do so.
Among other things, Microsoft will announce a new API (application programming interface) for RPCs (remote procedure calls) that limits access to resources on the local machine, Carroll said.
The new API will give developers more tools to control the flow of data to and from Windows applications and apply more specific security policies that cover actions taken by client and server applications, according to Pete Lindstrom, an analyst at The Spire Group.
Security vulnerabilities in RPC and the distributed component object model that Microsoft disclosed in July led to the creation of the W32.Blaster worm, which ravaged corporate networks and home computers worldwide in August.
To address concerns about Web and network-borne attacks that exploit vulnerabilities in its products, Microsoft will be describing plans that it has to strengthen the default configuration of the Internet Explorer Web browser's Local Machine and Local Intranet security zones, Carroll said.
The configuration of those zones controls what actions are and are not permissible when connecting to resources on a user's local network. Microsoft is interested in soliciting developers' feedback about whether the changes are the right approach for security issues, Carroll said.
The company will also be talking about its plan to recompile Windows using new technology that is designed to sniff out security vulnerabilities in the code, Carroll said.
Buffer overruns are a common avenue for attacks against Windows systems, allowing hackers to send long streams of data that cause Windows machines to crash or to unintentionally execute code written by the attacker. On Tuesday, Microsoft will be encouraging developers to take advantage of the same compiler technology in the latest editions of Visual Studio to catch buffer overruns and other problems in their code, Carroll said.
Change of Plans
While Microsoft executives hinted at many of these changes in recent weeks, the decision to disable the Windows Messenger Service is new.
The service has been a standard part of Windows operating systems since the introduction of 32-bit operating systems in the mid-1990s, according to Russ Cooper, Surgeon General of TruSecure and moderator of the NTBugtraq newsgroup.
Using text commands entered from a command prompt, users can create a pop-up window containing messages on other users' desktops connected over a home network, corporate network, or the Internet, according to Richard Smith, an independent security consultant in Boston.
Within the last year, spammers discovered the feature and began using it to barrage unsuspecting users with pop-up messages containing solicitations, he said.
On October 15, Microsoft issued a software patch for a buffer overflow in the Messenger Service that could enable attackers to remotely place and run malicious code on vulnerable machines, gaining total control of those systems.
Cause for Concern
Security experts, including Smith, expressed concern about Microsoft's reluctance to shut down the service, saying that Messenger was not a vital Windows component and was ripe for exploitation by another Blaster-like worm.
In recent days, Internet service provider America Online raised the visibility of the problem by acting unilaterally to disable Windows Messenger Service on the Windows desktops of 20 million of its users as a precaution.
While the Messenger Service will definitely be disabled by default in XP Service Pack 2, Microsoft is still investigating the problem and talking with customers about how to address the issue, Carroll said.
The company cannot comment on specific plans, but disabling the service in XP Service Pack 2 is not the final word. Other changes to address the issue in Windows Server 2003 and Windows 2000 are still in the works, and Microsoft is not ruling out disabling the service before releasing XP Service Pack 2, Carroll said.