1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. NetBIOS MS Messenger Serv. BO (TCP)

NetBIOS MS Messenger Serv. BO (TCP)

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

Microsoft Messenger Service is a Windows service that is responsible for sending and receiving "net send" messages. The service also handles any messages that are sent via the Alerter service between client and server systems. The Microsoft Messenger Service is not related to MSN Messenger.

Additional Information

Microsoft Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. The source of the vulnerability is insufficient bounds checking of messages before they are passed to an internal buffer. A particularly malformed message can potentially overrun adjacent regions of memory with attacker-supplied values. Exploitation could result in a denial-of-service or in execution of malicious code in Local System context, potentially allowing for full system compromise. The service is exposed via RPC (port 135).

Affected

  • Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
  • Microsoft Windows 2000 Server SP1, SP2, SP3, SP4
  • Microsoft Windows NT Enterprise Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows NT Terminal Server 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6
  • Microsoft Windows NT Workstation 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Professional SP1

Response

Workaround:

Access to port 135 can be blocked using the Internet Connection Firewall (ICF) for Windows XP and Windows 2003 Server systems. The default settings for ICF are to block this traffic.

Microsoft has released instructions on how to disable the Windows Messenger Service. These instructions can be found in the attached Microsoft Security Bulletin. It should be noted that disabling the service may have some side effects, such as the system not being able to receive Alerter services messages or some services related to the Windows Messenger Service not starting.

Solution:

Microsoft has released updates to address this issue.

Microsoft Patch Security Update for Microsoft Windows 2000 Service Pack 2: KB828035
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Server SP2

Microsoft Patch Security Update for Microsoft Windows 2000: KB828035
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Server SP4

Microsoft Patch Security Update for Microsoft Windows NT Server 4.0: KB828035
Microsoft Windows NT Server 4.0 SP6a

Microsoft Patch Security Update for Microsoft Windows NT Server Terminal Server Edition: KB828035
Microsoft Windows NT Terminal Server 4.0.0 SP6

Microsoft Patch Security Update for Microsoft Windows NT Workstation 4.0: KB828035
Microsoft Windows NT Workstation 4.0.0 SP6a

Microsoft Patch Security Update for Microsoft Windows Server 2003 64-bit Edition: KB828035
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows Server 2003 Enterprise Edition 64-bit

Microsoft Patch Security Update for Microsoft Windows Server 2003: KB828035
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Web Edition

Microsoft Patch Security Update for Microsoft Windows XP 64-bit Edition: KB828035
Microsoft Windows XP 64-bit Edition

Microsoft Patch Security Update for Microsoft Windows XP: KB828035
Microsoft Windows XP Home SP1
Microsoft Windows XP Professional SP1
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube