Update: AOL turning off users' Windows Messenger

Internet service provider America Online Inc. (AOL) is taking aggressive steps to combat spam and close a security loophole by turning off a Microsoft Corp. Windows feature that spammers are exploiting to display pop-up messages on users' desktops, AOL said.

AOL used an update of its software to disable the Windows feature without the knowledge or consent of AOL subscribers, raising questions about the ethics of the change.

The feature in question, known as Windows Messenger Service, enables network administrators or network devices to display messages on users' desktops, but has few applications for home users, according to Richard Smith, an independent security expert based in Boston.

Using text commands entered from a command prompt, users can create a pop-up window containing messages on other users' desktops connected over a home network, corporate network or the Internet, Smith said. Spammers discovered the feature a year ago and immediately began using it to barrage unsuspecting users with pop-up messages containing solicitations, he said.

Using Windows Messenger Service has advantages for spammers over e-mail. The spammer's message appears on top of the desktop, without requiring any user action to display it. Even more important, spammers do not need to know any e-mail addresses to get their message out to Windows users, just the IP (Internet Protocol) addresses of Windows machines, Smith said.

AOL call centers began receiving a large number of complaints from users about the pop-up message problem last year, soon after spammers discovered it, said Andrew Weinstein, an AOL spokesman.

"Users were calling us and saying that they didn't know why they were getting them and that there was no way of getting away from them," he said of the messages.

An AOL feature for blocking pop-up Web site advertisements did not stop the Windows Messenger Service pop-ups either, because the Messenger Service pop-ups relied on a different underlying technology, he said.

The company was also swayed in its decision to block the Windows Messenger Service by a recent critical security bulletin from Microsoft concerning a buffer overrun vulnerability in the Windows Messenger Service that could enable a remote attacker to take control of a vulnerable Windows system, Weinstein said.

AOL, which is the Internet unit of Time Warner Inc., began shutting off the feature for customers using Windows NT, 2000 and XP on a rolling basis two weeks ago. The company checks users' machines when they log on to AOL's network to see if Windows Messenger Service is enabled. If the feature is on, AOL disables it, Weinstein said.

So far, 15 million AOL subscribers have had the feature disabled, and AOL is planning to make the change on about 5 million more AOL subscriber machines in the coming weeks. Weinstein did not have a timetable for the remaining changes.

Smith supports the decision to deactivate Windows Messenger Service, but questions AOL's approach to solving the problem.

"Let's just say it's aggressive. It's not something that I would do," Smith said.

Unilaterally disabling services or changing configuration settings can often have an unintended impact on other applications that may rely on them, Smith said. However, he was sympathetic to AOL's predicament as well.