Contact Us
Critical Microsoft Messenger Patch Released
- URL: http://www.secureworks.com/research/threats/messengeradvisory
- Date: October 15, 2003
- Author: Joe Stewart
***Critical Threat Patch Released***
Microsoft has released a new bulletin and critical patch for the Messenger Service which is built in to Windows NT, 2000, XP and Server 2003. This vulnerability allows remote code execution via a specially crafted UDP packet. This may allow for the creation of a worm with the potential for damage exceeding Blaster and Nachia, since it uses UDP instead of TCP.
Threat:
Critical
It is recommended to apply this patch to all workstations and servers on your network ASAP. If you are unable to patch a segment, you can protect it by blocking port 135 UDP and port 1026 UDP. This may disable certain other Windows Networking services that rely on those ports, especially the Winpopup service. Applying the patch is the preferred remediation.
While most organizations are not going to allow port 135 UDP and port 1026 UDP inbound, a common vector for these worms is laptop, dialup and VPN users. You should take appropriate action to isolate any segments where these users connect to your network and ensure they are not allowed to pass traffic on these ports to any other servers on your network.
It is also important not to confuse the Messenger Service with Windows or MSN Messenger clients. The messenger service is not related to these programs. It is a system service which runs in the background, regardless of whether any IM client is running on the system.
For full details concerning this vulnerability, refer to Microsoft Security Bulletin MS03-043 at http://www.microsoft.com/technet/security/bulletin/MS03-043.asp
There are also several other recent critical Microsoft patches which you should have already applied; but if not, this is a good time to bring the patch level of all workstations up to date.
