Internet service provider America Online is taking aggressive steps to combat spam and close a security loophole by turning off a Microsoft Windows feature that spammers are exploiting to display pop-up messages on users' desktops, AOL said.
AOL used an update of its software to disable the Windows feature without the knowledge or consent of AOL subscribers, raising questions about the ethics of the change.
The feature in question, known as Windows Messenger Service, enables network administrators or network devices to display messages on users' desktops, but it has few applications for home users, according to Richard Smith, an independent security expert based in Boston.
Using text commands entered from a command prompt, users can create a pop-up window containing messages on other users' desktops connected over a home network, corporate network, or the Internet, Smith said. Spammers discovered the feature a year ago and immediately began using it to barrage unsuspecting users with pop-up messages containing solicitations, he said.
For spammers, Windows Messenger Service has advantages over e-mail. The spammer's message appears on top of the desktop, without requiring any user action to display it. Even more important, spammers do not need to know any e-mail addresses to get their message out to Windows users, just the IP addresses of Windows machines, Smith said.
AOL call centers began receiving a large number of complaints from users about the pop-up message problem last year, soon after spammers discovered it, said Andrew Weinstein, an AOL spokesperson.
"Users were calling us and saying that they didn't know why they were getting them and that there was no way of getting away from them," he said of the messages.
An AOL feature for blocking pop-up Web site advertisements did not stop the Windows Messenger Service pop-ups either, because the Messenger Service pop-ups relied on a different underlying technology, Weinstein added.
The company was also swayed in its decision to block the Windows Messenger Service by a recent critical security bulletin from Microsoft concerning a buffer overrun vulnerability in the Service that could enable a remote attacker to take control of a vulnerable Windows system, he said.
AOL, which is the Internet unit of Time Warner, began shutting off the feature for customers using Windows NT, 2000, and XP on a rolling basis two weeks ago. The company checks users' machines when they log on to AOL's network to see if Windows Messenger Service is enabled. If the feature is on, AOL disables it, Weinstein said.
So far, 15 million AOL subscribers have had the feature disabled, and AOL is planning to make the change on about 5 million more AOL subscriber machines in the coming weeks. Weinstein did not have a timetable for the remaining changes.
Going Too Far?
Smith, the Boston security expert, supports the decision to deactivate Windows Messenger Service but questions AOL's approach to solving the problem.
"Let's just say it's aggressive. It's not something that I would do," Smith said.
Unilaterally disabling services or changing configuration settings can often have an unintended impact on other applications that may rely on them, Smith said. However, he was sympathetic to AOL's predicament.
"AOL is just reacting to customer complaints. The home user doesn't understand what's going on, and the one place they're going to go to complain is the company they have a relationship with," he said.
AOL stands firm behind its decision to deactivate Windows Messenger Service.
There was no discussion of the ethics of changing users' Windows configurations without notifying them first, Weinstein said. The online experience of AOL customers was being degraded by the pop-up spam and there was a serious security issue with the service, he explained.
The feature can be toggled on and off from the operating system, and deactivating it does not require a Windows configuration change, Weinstein said. AOL did consult with Microsoft prior to making the change to confirm that there would be no negative repercussions from the change, he added.
A Microsoft spokesperson could not confirm that talks took place between the two companies regarding AOL's plans to deactivate the Windows feature.
However, Microsoft believes that software makers should be explicit about what their products are doing or adding to a system, the spokesperson said.
While vendors like AOL are free to propose changes, users should be able to accept or reject those changes first, he said.
AOL has heard from a very small number of users who have asked the company to turn the feature back on, and from a large number of users thanking the company for the change. The company will soon be promoting the change and providing its customers with links to content explaining what AOL did and providing them with directions for re-enabling Messenger Service if they like, Weinstein said.
"We think this was absolutely the right step to take. It was an absolutely 100 percent clear decision," he said.
Microsoft should have moved to deactivate the feature long before AOL did, Smith said.
"This is something that Microsoft should be doing," he commented. "Once spammers discovered this feature a year ago, Microsoft had a duty to step up to the plate and make it easy to turn this thing off. Instead, they just ignored the issue, put out a couple of techy advisories, and let the situation get out of hand."
Microsoft is well aware of the problems with Windows Messenger Service. However, the pop-up spam messages are not a security threat in themselves--just an annoyance, the company spokesperson said.
The decision to disable Messenger Service by default is "one of many things under consideration" for future security-related Windows updates, including Windows XP Service Pack 2, which is scheduled for the first half of 2004, he said.
It is also possible that the company could move to disable the service before then.
"Conversations are ongoing," the spokesperson said.
In the meantime, Microsoft recommends that its customers activate the Internet Firewall that is built into Windows XP or deploy a third-party firewall. Either will protect Windows users from pop-up spam, he said.
Note: PCWorld.com has a partnership agreement to provide content to America Online.