Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Blocking MSN Messenger

Subscribe

Check Point Reference: SBP-2006-20
Date Published:
Severity:
Source: SmartDefense Research Center
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
Who is Vulnerable?
MSN Messenger users
Vulnerability Description
Instant Messaging applications allow communication and collaboration between Internet users using various modes of communication, including instant messages exchange, voice and video, application sharing, white board, file transfer and remote assistance.

Windows Live Messenger, formerly and still commonly known as MSN Messenger or MSN, is a freeware instant messaging client for Microsoft Windows. It is part of Microsoft's Windows Live set of online services.
MSN Messenger Live has many features including offline conversations, the possibility to share files with other users and more.

IPS/SmartDefense allows you to block MSN Messenger or its applications selectively.
Vulnerability Details
Some organizations prefer to prevent their employees from using Instant Messaging applications, since many Instant Messaging applications are prone to multiple vulnerabilities. The impacts of these vulnerabilities could range from modifying data in a victim's friend list, to a denial of service attack, to the execution of malicious code on a victim's system. In addition, Instant Messaging capabilities such as file transfer are a potential source of virus and worm infections.

Instant messaging applications may risk an organization's security in the following ways:
1. Vulnerabilities in IM applications could be exploited to compromise a user's system.  
2. The file transfer capability could be exploited by worms to infect a user's system.
3. Using voice data along with file transfers may result in excessive bandwidth utilization.

Protection Overview
IPS/SmartDefense offers several ways to block MSN Messenger or its applications selectively:

MSN Messenger - General Settings - Configure whether to allow or block unrecognized MSN Messenger commands.

MSN Messenger over MSNMS - MSN messenger can be either blocked completely, or its applications can be selectively blocked (audio, video, file-transfer, application sharing, white-boarding, and remote assistant).

MSN Messenger over SIP - MSN Messenger over SIP traffic can be threatened by Denial of Service and buffer overrun attacks based on protocol malformations, call hijacking (where calls intended for the receiver are redirected to someone else), call theft (where the caller pretends to be someone else), and systems hacking using ports opened for the connection. IPS verifies compliance to Session Initiation Protocol (SIP) RFC 3261. MSN messenger can be either blocked completely, or its applications can be selectively blocked (file-transfer, application sharing, white-boarding, and remote assistant).

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Instant Messengers > MSN messenger over MSNMS.
2. In the right pane, double-click the following protections:

MSN Messenger - General Settings
MSN Messenger - Application
MSN Messenger - Chat
MSN Messenger - Files

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
 4. Install policy on all modules.

To configure MSN Messenger over SIP:
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Instant Messengers.
2. In the right pane, double-click the MSN Messenger over SIP protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
 4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Non Compliant MSNMS
Attack Name: Non Compliant MSNMS
Attack Information:
Control command has changed
Control command is unknown
Non compliant message
Non compliant message. Warning! Inspection stopped.

Messenger - Application
Attack Name: MSNMS Application Content Security violation
Attack Information:
Whiteboard is not allowed by the security policy
Application Sharing is not allowed by the security policy
Remote Assistance is not allowed by the security policy

MSN Messenger - Chat
Attack Name: MSNMS Chat Content Security violation
Attack Information:
Video is not allowed by the security policy
Audio is not allowed by the security policy
Video/Audio is not allowed by the security policy
Instant Messaging is not allowed by the security policy

MSN Messenger – Files
Attack Name: MSNMS Files Content Security violation
Attack Information: File Transfer is not allowed by the security policy

MSN Messenger over SIP
Attack Name: SIP content security violation
Attack Information: Instant Messaging is not allowed by the security policy

VPN-1 NGX R65/R62 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Instant Messengers.
2. Select the following protections:

MSN Messenger over MSNMS
MSN Messenger over SIP

3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

MSN Messenger over MSNMS
Attack Name: MSN content security violation
Attack Information:
Message is too long
Illegal message length
Illegal command length
MSNMS Content Security violation
MSNMS UTF-8 charset violation
Non compliant message. Warning! Inspection stopped

MSN Messenger over SIP
Attack Name: SIP content security violation
Attack Information: Instant Messaging is not allowed by the security policy