KB824146 Image
KB828035 KB828035

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

KB828035 Security Patch
 

Buffer Overrun in Messenger Service
Could Allow Code Execution!

 

 

So What's The Story With KB828035 ?


Microsoft has published a new security bulletin (KB828035), on the 13th October 2003, describing a new vulnerability that affect numerous versions of Microsoft Windows.

What's the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

Even if you do NOT understand what this means - YOU MUST take this security threat seriously and install the KB828035 patch now!

What is the Windows Messenger Service?

The Messenger service is a Windows service that transmits net send messages and messages that are sent through the Alerter service between client computers and servers. For example, the Messenger service can be used by network administrators to send administrative alerts to network users.

The Messenger service can also be used by Windows and other software programs. For example, Windows may use it to inform you when a print job is completed or when you lose power to your computer and switch to a Uninterruptible Power Supply (UPS). The Messenger service is not related to your Web browser, e-mail program, Windows Messenger, or MSN Messenger.

What causes the vulnerability?

The vulnerability results because of an unchecked buffer in the Messenger Service. If exploited, an attacker could gain Local System privileges on an affected system, or cause the service to fail.

Is the Messenger Service the same thing as Windows Messenger or MSN Messenger?

No....

It's important to note that the Messenger Service is NOT the same thing as Windows Messenger or MSN Messenger. Windows Messenger  and MSN Messenger are instant messaging services that allow users to converse, share pictures, video, etc.

In contrast, the Messenger Service is a simple text-only broadcast service that's typically used by administrators to send alerts to users, and warn them of pending outages, server maintenance, etc.

What's wrong with the Messenger Service?

The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer. This new KB828035 patch stops this happening.

What could this vulnerability enable an attacker to do?

An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

How could an attacker exploit this vulnerability?

An attacker could seek to exploit this vulnerability by creating a specially crafted message and sending it to the Messenger Service on an affected system.  This new KB828035 patch stops this happening.

What does the KB828035 patch do?

The patch eliminates the vulnerability by insuring that the Messenger Service properly validates the length of a message before passing it to the allocated buffer.

The information in this KB828035 article applies to:

  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP 64-Bit Edition Version 2002
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.

Machines running Windows 95, 98 and ME are not at risk from this new vulnerability described in KB828035.
 

So What Can Be Done? - Install KB828035..!

Microsoft have created a new Security Patch KB828035 to prevent anyone exploiting this new found vulnerabilities in the Messenger Service.

You can get the download here: KB828035

YOU MUST have Windows XP Service Pack 1 installed (this is NOT the 64 bit edition link)

 

Not Sure KB828035 Is Installed On Your PC?

Apart from a quick check in the Add/Remove panel to see if KB828035 is listed...

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB828035\Filelist

 

Microsoft encourages administrators to run the latest version of the Scanner Tool available in Microsoft Knowledge Base article 827363 , to determine if their systems are patched with KB824146 and KB823980 correctly. (This tool is a command line based utility and is not for beginners.)

http://support.microsoft.com/default.aspx?scid=kb;en-us;827363

(This tool supersedes the admin tool issued for KB823980.)
 

Conclusion:

As ever I would  urge ALL of you to download and apply the latest patch's, to keep your anti-virus software up to date and use a firewall to protect against unwanted intrusions!

By applying this kb828035 patch you will stop any exploit of this vulnerability of the messenger service. However I personally recommend that unless you KNOW you need the Messenger Service running then you disable it in ADDITION to having a firewall in place!

Why, well not everyone has a firewall correctly setup to BLOCK the Messenger Service from the outside world. Also, it will only be a matter of time before there is another security alert around the Messenger Service!

Impact of disabling the messenger service: If the Messenger service is disabled, messages from the "Alerter" service (for example notifications from your backup software or Uninterruptible Power Supply) are not transmitted. If the Messenger service is disabled, any services that explicitly depend on the Messenger service do not start, and an error message is logged in the System event log.

For most home users this is not going to be a problem and the service can easily be set to run again in seconds... Read more at: Messenger Service

Well I hope this article on the KB828035 security patch was useful..

UPDATE 29th OCTOBER 2003:

Microsoft have revised this patch to correct the Debug Programs (SeDebugPrivilege) user right issue, that some customers experienced with the original patch.

This problem is unrelated to the security vulnerability discussed in this bulletin. Customers who have already applied the patch are protected against the vulnerability discussed in this (KB828035) bulletin.

 

Sign Up For My Windows XP Newsletter for more tips and advice!

 


Click Here

Regards

Marc Liron
www.updatexp.com

Sign Up For A GREAT Windows XP Newsletter!
From one of the most POPULAR
Windows XP Websites on the Net!

  • Windows XP News
  • Windows XP Tips
  • Patch Update News
  • Info on Internet Explorer and Outlook Express
  • Windows Media Player Plugin Reviews
  • And so much more......

 

Get regular Windows XP news and tips -
 make XP work the way YOU want it to work!

First name 

E-mail address

Don't worry -- your e-mail address is totally secure.
I promise to use it only to send you Update XPress
and special XP related bulletins.

Here is my site Privacy Policy

The views on this website are my own and not that of Microsoft.
I am not responsible for the content of any sites linked to.
ALL Trademarks are freely acknowledged
ALL information is provided "As Is"

This page was last updated 29th October 2003

 

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

An article on the KB828035 Messenger Service Patch

 www.updatexp.com - Marc Liron - 2002/2003