On the site's FAQs page under the Privacy section (http://www.msgplus.net/help/faq/privacy/#open-port) the following is stated:
quote:
No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer. The reason is quite simple: Messenger Plus! does not directly open any network port on your machine, the only exception being the External Mail feature that connects to the mail server of your choice. Every other feature of Messenger Plus! that uses your internet connection goes through normal http requests sent by the Wininet library of Windows.
This is technically incorrect for several reasons:
1) Despite the developers' best efforts, there is no way to say 100% that the Messenger Plus! application contains no exploitable code (in the form of buffer overruns, etc). User input is accepted from a whole pile of sources that could be controlled by an attacker. What if someone uses an ARP/DNS spoof to man-in-the-middle your connection to the update service? Your box is owned. What if a vulnerability is found in the sound player code and someone sends a malformed audio sample that causes this vulnerability to be exploited in order to execute malicious code? Your box is owned.
2) There is no way to say that the Wininet library is 100% secure. Windows has had vulnerabilities before, and it still does.
3) Messenger Plus does directly open a network port! It may not open a port for listening, but if it's connecting to the update feature or talking to the messenger service it has an open connection that uses a local port. That means that the connection can be hijacked by an attacker and there is nothing you can do to stop it. On the one hand it is likely that they will not be able to do anything useful, but on the other it doesn't mean that the possibility is not there for an attacker to manipulate data and cause problems.
I propose that this section of the FAQ is re-written to more accurately represent reality. It doesn't have to be technical and wordy, but it should definitely represent the reality of software security. In fact this covers the developers - as the FAQ states that the software is 100% secure, if someone goes on to find a vulnerability and exploit it causing $10m of damage to a corporate network, then you're up a creek without a paddle in a court of law. In layman's terms: You get owned.
I'm not saying tell everyone that if they install your software they're gonna get hacked and people are going to steal their credit card numbers, but more warn them that as with all software, despite your best efforts there may be exploitable bugs that have not been identified and fixed. So while it is very very very unlikely that someone would hack them through Plus! it is still technically a possibility.
Discussion and positive criticism appreciated, flaming is not.
Cheers,
Burningmace
