Shoutbox

quote:

---

Originally posted by Burningmace
Who uses that phrase? - I use that phrase, and so do a lot of people. In fact, Microsoft's own Steve Riley uses it liberally in his presentations at TechEd.

---

well then i pose the same question to him

quote:

---

Originally posted by riahc4
Plus! doesnt communicate with the Messenger service at all.

---

where did he say the messenger service ¬¬

he was talking about it's attack surface in general...

quote:

---

Originally posted by ShawnZ
where did he say the messenger service

---

I did in fact reference it in the original post, but I worded it poorly. This is explained in my second to last post.

And yes, you are correct, I am talking about the theoretical vulnerabilities of the system as a whole. However, I am not talking about them in a specific context (i.e. a specific vulnerability) but rather the possibility that exploitable interfaces (TCP/UDP sockets, direct user input, etc) and sections of code exist within the system.

I feel that at current the FAQ does not accurately represent the reality of software security, and that it needs to be changed to that end.

I think you are misinterpretating the FAQ.
The question to that answer is:
Is it possible messenger plus! opens ports for virii to exploit (I had to translate, my FAQ is in Dutch)

The answer to that question is simple NO, because plus! doesn't open ports. If you exploit plus to open a port, plus didn't open a port.
The exploit does.

The answer answers the question... Nothing wrong with that...

That is not my point. While Messenger Plus! does not open ports for listening, it does connect via the network to other computers on the internet (the update service for one) and these connections are made in the following manner:

1) Resolve the IP address for msgpluslive-update.net
2) Make a connection to this IP address
3) See if there is an update, if there is then download it.

Step 1 is exploitable using DNS spoofing. Step 2 is exploitable (in some cases) using ARP spoofing. Step 3 is exploitable (fake update response sending malware instead of patch) once either step 1 or 2 have been exploited.

In order to determine the update protocol I could simply inject myself between the client and server as a transparent proxy using DNS/ARP spoofing in a classic man-in-the-middle attack, then monitor all network traffic on that connection. I could then follow the messages sent and received and use the information gathered to create my own application that simulates the update server's behaviour.

Other than using an SSL certificate to fully authenticate the server and encrypt network traffic, I am unaware of any feasible method of preventing man-in-the-middle attacks from succeeding.

This may all be true but seriously who is going to spend the time to hack someone thru msg plus when they can do it many many other ways and the fact of the matter is unless your making people mad that have these skills its unlikely anything is going to happen to you. I've been using msg plus ever since it was released and have absolutely no problems I would consider my self an advanced computer user and with the except of the occasional virus or trojan I have had no problems with supposive "exploits" in software that people make such a big deal about.

quote:

---

Originally posted by Link_of_Hyrule
when they can do it many many other ways

---

maybe they can't do it any other way?

quote:

---

Originally posted by Link_of_Hyrule
This may all be true but seriously who is going to spend the time to hack someone thru msg plus when they can do it many many other ways and the fact of the matter is unless your making people mad that have these skills its unlikely anything is going to happen to you. I've been using msg plus ever since it was released and have absolutely no problems I would consider my self an advanced computer user and with the except of the occasional virus or trojan I have had no problems with supposive "exploits" in software that people make such a big deal about.

---

Again, you're misinterpreting the reason for this thread.

This thread is NOT here to address specific security concerns in the application! I think that the FAQ should be changed to more accurately represent the possibility of software and service exploitation, mainly in order to keep the developers asses covered, but also to inform and educate users about this possibility.

I would also like to point out that some of the most devastating worms in the history of computing (Blaster, Code Red, ILOVEYOU, SQL Slammer, etc) relied on exploiting other software in order to spread across networks. I've been working with computers since I was 6 (that's not a typo) and I've had plenty of viruses to deal with, very few of which were as a result of something I've downloaded. If you get a virus without running the virus executable yourself, you got exploited.

quote:

---

Originally posted by ShawnZ

quote:

---

Originally posted by Link_of_Hyrule
when they can do it many many other ways

---

maybe they can't do it any other way?

---

Again we're off-topic, but nonetheless you are correct. Who cares if they can do it another way? They CAN do it this way and if they wanted to they COULD. If every software company and computer security organisation went around saying "this vulnerability doesn't matter, they'll just find another way in anyway" the computing world would be completely insecure.

quote:

---

Originally posted by Burningmace
That is not my point. While Messenger Plus! does not open ports for listening, it does connect via the network to other computers on the internet (the update service for one) and these connections are made in the following manner:

1) Resolve the IP address for msgpluslive-update.net
2) Make a connection to this IP address
3) See if there is an update, if there is then download it.

Step 1 is exploitable using DNS spoofing. Step 2 is exploitable (in some cases) using ARP spoofing. Step 3 is exploitable (fake update response sending malware instead of patch) once either step 1 or 2 have been exploited.

---

GREAT.

No, seriously, that's wonderful. Now let's make sure that we don't use our computers to make any sorts of requests, HTTP or otherwise, because there might be someone performing a man-in-the-middle attack.

Technically you have a point - trillions of HTTP requests are made every day and very few are ever exploited. However, there are some key differences:

1) In most cases, an attacker would not bother to filter through the vast amount of junk that a victim browses.
2) Even if an attacker discovered that their victim downloaded files regularly from a single site, the task of creating a believable replica of the site in order to fool them is often infeasible with the time frame involved.
3) In most cases the exploiter must be on your network in order to DNS/ARP spoof. If you're home alone you're relatively safe. If you're on your laptop connected to your work's network, you're not.
4) MSN is a system that is user-to-user based - is it really that hard to envision a situation where one user doesn't like another and so decides to attack them?
5) The user wouldn't think twice about updating Plus! when the "New Version Available" dialog box appears. Attackers look to control a system where the user would be infected quickly and easily, without having to convince them in an elaborate way that the data that they are receiving is not malware.

But most people do not understand a few basic principles of network security:
If you send packets over a network that are unencrypted you must consider the data in those packets to be in the public domain - anyone on your network can read them.
If the client does not authenticate the server, anyone on your network can perform a man-in-the-middle attack in order to manipulate traffic.
In a security-sensitive environment, if you do not both encrypt traffic and authenticate the server you must consider your client to be compromised.

this isn't even an argument.

burningmace: you're right, but still an idiot. the problems you listed aren't application-specific. and if you feel like linking me to the FAQs of all the other programs on your computer saying that they're all 99% bug free except for dns/arp spoofing exploits, then we still don't care. nobody reads the faq and it's close enough.