Shoutbox

On the site's FAQs page under the Privacy section (http://www.msgplus.net/help/faq/privacy/#open-port) the following is stated:

quote:

---

No, there is no way Messenger Plus! could have any security flaw that would let non-allowed software to connect on your computer. The reason is quite simple: Messenger Plus! does not directly open any network port on your machine, the only exception being the External Mail feature that connects to the mail server of your choice. Every other feature of Messenger Plus! that uses your internet connection goes through normal http requests sent by the Wininet library of Windows.

---

This is technically incorrect for several reasons:

1) Despite the developers' best efforts, there is no way to say 100% that the Messenger Plus! application contains no exploitable code (in the form of buffer overruns, etc). User input is accepted from a whole pile of sources that could be controlled by an attacker. What if someone uses an ARP/DNS spoof to man-in-the-middle your connection to the update service? Your box is owned. What if a vulnerability is found in the sound player code and someone sends a malformed audio sample that causes this vulnerability to be exploited in order to execute malicious code? Your box is owned.
2) There is no way to say that the Wininet library is 100% secure. Windows has had vulnerabilities before, and it still does.
3) Messenger Plus does directly open a network port! It may not open a port for listening, but if it's connecting to the update feature or talking to the messenger service it has an open connection that uses a local port. That means that the connection can be hijacked by an attacker and there is nothing you can do to stop it. On the one hand it is likely that they will not be able to do anything useful, but on the other it doesn't mean that the possibility is not there for an attacker to manipulate data and cause problems.

I propose that this section of the FAQ is re-written to more accurately represent reality. It doesn't have to be technical and wordy, but it should definitely represent the reality of software security. In fact this covers the developers - as the FAQ states that the software is 100% secure, if someone goes on to find a vulnerability and exploit it causing $10m of damage to a corporate network, then you're up a creek without a paddle in a court of law. In layman's terms: You get owned.

I'm not saying tell everyone that if they install your software they're gonna get hacked and people are going to steal their credit card numbers, but more warn them that as with all software, despite your best efforts there may be exploitable bugs that have not been identified and fixed. So while it is very very very unlikely that someone would hack them through Plus! it is still technically a possibility.

Discussion and positive criticism appreciated, flaming is not.

Cheers,
Burningmace

While ARP Poisoning is possible when doing HTTP Requests to Man in the Middle the section of the FAQ is refering to the fact that no ports are opened on your computer (with the exception of the email port) which would potentially open your computer to risks. All information between Plus! and the web server is http traffic therefore no additional ports are opened on your computer.

That does not mean that exploits cannot and will not be found in the Wininit library or the code in Plus! that handles received data from this HTTP socket. Furthermore, the FAQ does not specify this - it states blanketed security due to the fact that NO ports are opened to the internet, which is not true.

How is it not true that not true?

quote:

---

Originally posted by Burningmace
Messenger Plus! does not directly open any network port on your machine, the only exception being the External Mail feature that connects to the mail server of your choice.

---

I guess in the overall picture a local port is opened in the sense for the 3 way handshake and communication with the server and closed thereafter. I agree with you in the sense that the wording should be changed however Plus! doesn't keep a port open, it closes it (as does many applications) when they are finished using them.

And what can be stolen from ARP poising someone from Plus!? What sound they are sending? The information doesn't contain anything valuable and it is hard to hack VIA HTTP requests.

I meant more in the way of an attacker could manipulate the packets in order to exploit a vulnerability in either the Wininit library or in Plus! itself. It does not matter that the connection closes at the end of the request, as a man in the middle attack using ARP/DNS spoofing allows the attacker to manipulate both sides of the connection (client end and server end) for the entire duration of the connection.

The sound reference was regarding hypothetical vulnerabilities in the sound library. If a vulnerability was found it would not be hard to send a malformed sample that exploited the vulnerability directly to the server, thus owning the client box.

Edit: Furthermore, there is no way to tell if someone has ARP spoofed your update connection in order to download malware to your machine. Even if you force people to download directly from your website (open their browser to the URL of the update page) an attacker can just spoof the DNS and host a fake page himself that contains a Plus! installer with malware attached.

matty: he didn't say it opened ports, he said it doesn't need to to be exploitable.

burningmace: who the hell says "your box is owned"?

quote:

---

Originally posted by ShawnZ
burningmace: who the hell says "your box is owned"?

---

Do you mean "who uses that phrase?" or "why does that mean your box is owned?"

To answer both:
Who uses that phrase? - I use that phrase, and so do a lot of people. In fact, Microsoft's own Steve Riley uses it liberally in his presentations at TechEd.

Why does that mean your box is owned? - You have to assume any machine that has had an exploit run on it is completely under the control of the attacker - it is completely and utterly compromised.

I would also like to state that I am not disputing the standard of security in Messenger Plus. I am simply being realistic. I write code every day and I'm 110% sure that somewhere along the line I've written something that can be exploited in some way. I accept that. Any software developer that doesn't accept the fact that somewhere along the line their software or the libraries that it relies on will contain an exploitable bug is, frankly, a moron. What I'm trying to say is despite the fact that at current their are no known vulnerabilities (with an exception - see note below) in Messenger Plus, there is no way to tell if there are unknown vulnerabilities and you need to cover yourself from and inform your users of such eventualities.

Note regarding vulns - The exception is the obvious, practically unavoidable DNS/ARP spoofing man-in-the-middle attacks on the update socket, that (as far as I am aware in the case of Messenger Plus) has never been performed.

Are you some drugs?

Plus! doesnt communicate with the Messenger service at all. All of its communications are offline except the update feature (and if you ware paranoid you can turn it off and update manually) and the mail feature (which out of the box isnt used)

quote:

---

Originally posted by riahc4
Plus! doesnt communicate with the Messenger service at all. All of its communications are offline except the update feature (and if you ware paranoid you can turn it off and update manually) and the mail feature (which out of the box isnt used)

---

Not all, what about the sounds!??!?!

quote:

---

Originally posted by riahc4
Are you some drugs?

Plus! doesnt communicate with the Messenger service at all. All of its communications are offline except the update feature (and if you ware paranoid you can turn it off and update manually) and the mail feature (which out of the box isnt used)

---

I'm sorry if I mis-worded my original post - what I meant was as long as Plus! communicates with outside sources, it is vulnerable. I didn't mean that Plus! communicates with the messenger service, I simply stated it as an external source from which user input could come from. From what I can figure, the Plus! application parses other users' names for formatting tags (colours, bold, etc). This means that the parsing code is subject to user input and should be considered as a potential target for exploits. It is unlikely that the parsing algorithm contains any vulnerable code, but it is not impossible.

Furthermore, this doesn't change the fact that the update feature is enabled by default and your average layman wouldn't see any reason to turn it off. It could be exploited, but generally isn't.

The entire point of this topic was NOT to discuss possible security flaws in the application's communications model but to alter the FAQ to more accurately reflect the realities of software security.

quote:

---

Originally posted by Voldemort
Not all, what about the sounds!??!?!

---

Unless I am mistaken, only the Plus! server receives these, and it then forwards them to the target client. It is simply another avenue that is a possible target for exploits.

quote:

---

Originally posted by Voldemort
OH SHAWNZ YOU FOUND ANOTHER MICROSOFT FANBOY!

---

Firstly, comments like this are counter-productive and somewhat childish. Secondly, the last time I checked referencing a person's mannerisms wasn't considered a reason to be labelled a 'fanboy'. Yes, I primarily use Windows, along with most home computer users in the world. Anyway, I'm not getting into a flame-war with you. Either contribute something useful or leave this thread alone.