America Online’s gated Internet community may just have gotten a bit more secure.
On Friday, the company said it had turned off Microsoft’s flawed Windows Messenger service–a data exchange mechanism for networked computers that shouldn’t be confused with the software giant’s instant messaging application–for nearly 15 million of its users over the last two weeks.
Spammers have co-opted the service, which is typically only used to manage networks for businesses, to cause advertisements to pop-up in a gray box on home users’ desktops. Disabling the service is designed to stop the pop-up boxes and also protect users against a flaw in the service that could let attackers control the Windows user’s PC.
“This one was an easy one: It was both a user experience issue and a security threat to our members,” said AOL spokesman Andrew Weinstein. “Turning it off had a negligible impact on our members.”
The move, however, has raised questions about how far Internet service providers should go to secure their users. AOL uses a program to disable the Windows Messenger service when a user logs on to its network. If users want to turn it back on they can either do it themselves or go to an AOL site that will use another program to do it for them.
“I’m definitely for ISPs doing more to protect their piece of the network,” said Pete Lindstrom, research director for consulting company Spire Security. “However, this is a level of intrusiveness that I would be uncomfortable with. It’s pretty risky to be changing the settings on a customers’ computer without permission.”
AOL’s Weinstein said the company wouldn’t often take steps like this one. The case is a rare one, he said, because the benefits greatly outweigh the costs.
“We would be hesitant to do anything that isn’t as clear-cut as this,” he said. “We encourage our users to update their patches and we have a security area to do a lot of education on that front.” Microsoft couldn’t immediately be reached for comment.
The two-week effort is the latest in AOL’s battle against online vandals who have used the service to send advertising to its users.
Almost a year ago, AOL started gating off its online community by blocking the digital channels, or ports, that the Messenger feature uses to cause pop-up spam to appear on a person’s PC. The company also offered users a special site where they could click on a single button to have the service turned off.
However, those approaches didn’t completely solve the problems, so AOL decided to go further.
Starting two weeks ago, whenever a user signed onto AOL, a special script ran that turned off the Windows Messenger service. So far, at least 15 million AOL users have had the feature turned off.
“That is definitely being proactive about security,” said Mark Maiffret, chief hacking officer for network protection company eEye Digital Security. “You can’t really knock them for that.”
But he wondered how far AOL would go, and how it would define a threat to it users in the future.
“Are they going to start disabling MSN Messenger because they think that it’s a security vulnerability?” he said. “I don’t know that an Internet provider should be taking it upon themselves to modify their users’ systems.”
