Internet service provider America Online (AOL) is taking aggressive steps to combat spam and closed a security loophole by turning off a Microsoft Corp. Windows feature that spammers are exploiting to display pop-up messages on users' desktops, AOL said.
AOL used an update of its software to disable the Windows feature without the knowledge or consent of AOL subscribers, raising questions about the ethics of the change.
The feature in question, known as Windows Messenger Service, enables network administrators or network devices to display messages on users' desktops, but has few applications for home users, according to Richard Smith, an independent security expert based in Boston.
Using text commands entered from a command prompt, users can create a pop-up window containing messages on other users' desktops connected over a home network, corporate network or the Internet, Smith said. Spammers discovered the feature a year ago and immediately began using it to barrage unsuspecting users with pop-up messages containing solicitations, he said.
Using Windows Messenger Service has advantages for spammers over e-mail. The spammer's message appears on top of the desktop, without requiring any user action to display it. Even more important, spammers do not need to know any e-mail addresses to get their message out to Windows users, just the IP (Internet Protocol) addresses of Windows machines, Smith said.
AOL call centers began receiving a large number of complaints from users about the pop-up message problem last year, soon after spammers discovered it, said Andrew Weinstein, an AOL spokesman.
"Users were calling us and saying that they didn't know why they were getting them and that there was no way of getting away from them," he said of the messages.
An AOL feature for blocking pop-up Web site advertisements did not stop the Windows Messenger Service pop-ups either, because the Messenger Service pop-ups relied on a different underlying technology, he said.
The company was also swayed in its decision to block the Windows Messenger Service by a recent critical security bulletin from Microsoft concerning a buffer overrun vulnerability in the Windows Messenger Service that could enable a remote attacker to take control of a vulnerable Windows system, Weinstein said.
AOL, which is the Internet unit of Time Warner Inc., began shutting off the feature for customers using Windows NT, 2000 and XP on a rolling basis two weeks ago. The company checks users' machines when they log on to AOL's network to see if Windows Messenger Service is enabled. If the feature is on, AOL disables it, Weinstein said.
So far, 15 million AOL subscribers have had the feature disabled, and AOL is planning to make the change on about 5 million more AOL subscriber machines in the coming weeks. Weinstein did not have a timetable for the remaining changes.
Smith supports the decision to deactivate Windows Messenger Service, but questions AOL's approach to solving the problem.
"Let's just say it's aggressive. It's not something that I would do," Smith said.
Unilaterally disabling services or changing configuration settings can often have an unintended impact on other applications that may rely on them, Smith said. However, he was sympathetic to AOL's predicament as well.
"AOL is just reacting to customer complaints. The home user doesn't understand what's going on and the one place they're gong to go to complain is the company they have a relationship with," he said.
AOL stands firm behind its decision to deactivate Windows Messenger Service.
There was no discussion of the ethics of changing users' Windows configurations without notifying them first, Weinstein said. The online experience of AOL customers was being degraded by the pop-up spam and there was a serious security issue with the service, he said.
The feature can be toggled on and off from the operating system and deactivating it does not require a Windows configuration change, he said. AOL did consult with Microsoft prior to making the change to confirm that there would be no negative repercussions from the change, Weinstein said.
Microsoft could not immediately comment.
AOL has heard from a very small number of users who have asked the company to turn the feature back on, and a large number of users thanking the company for the change. The company will soon be promoting the change and providing its customers with links to content explaining what AOL did and providing them with directions for re-enabling the Messenger Service if they like, Weinstein said.
"We think this was absolutely the right step to take. It was an absolutely 100 percent clear decision," he said.
Microsoft should have moved to deactivate the feature long before AOL did, Smith said.
"This is something that Microsoft should be doing," Smith said. "Once spammers discovered this feature a year ago, Microsoft had a duty to step up to the plate and make it easy to turn this thing off. Instead, they just ignored the issue, put out a couple of techy advisories and let the situation get out of hand."