AOL switches off Microsoft security hole

AOL has turned off Microsoft's flawed Windows Messenger service - a data exchange mechanism for networked computers that shouldn't be confused with the software giant's instant-messaging application - for nearly 15 million of its users over the last two weeks.

Spammers have co-opted the service, which is typically only used to manage networks for businesses, to cause advertisements to pop-up in a grey box on home users' desktops. By disabling the service, AOL aims to stop the pop-up boxes and also protect users against a flaw in the service that could let attackers control a Windows user's PC.

AOL spokesman Andrew Weinstein said: "This one was an easy one: It was both a user-experience issue and a security threat to our members. Turning it off had a negligible impact on our members."

The move, however, has raised questions about how far internet service providers should go to secure their users. AOL uses a program to disable the Windows Messenger service when a user logs on to its network. If users want to turn it back on, they can either do it themselves or go to an AOL site that will use another program to do it for them.

Pete Lindstrom, research director at consulting company Spire Security, said: "I'm definitely for ISPs doing more to protect their piece of the network. However, this is a level of intrusiveness that I would be uncomfortable with. It's pretty risky to be changing the settings on a customers' computer without permission."

AOL's Weinstein said the company wouldn't often take steps like this one. The case is a rare one, he said, because the benefits greatly outweigh the costs.

"We would be hesitant to do anything that isn't as clear-cut as this," he said. "We encourage our users to update their patches, and we have a security area to do a lot of education on that front."

Microsoft acknowledged there wasn't much reason for home users to have the Windows Messenger service turned on. "It was on by default dating back to Windows NT," said Darin Linnman, a spokesman for the company. "It was one of the features that was left on to support those users."

Linnman said that Microsoft is considering turning the feature off by default in the next service pack, but it hadn't made a decision yet.

AOL's two-week-old effort is the latest in its battle against online vandals who have used the service to send advertising to its users.

Almost a year ago, AOL started gating off its online community by blocking the digital channels, or ports, the Messenger feature uses to cause pop-ups to appear on a person's PC. The company also offered users a special site where they could click on a single button to have the service turned off.

However, those approaches didn't completely solve the problems, so AOL decided to go further. Starting two weeks ago, whenever a user signed onto AOL, a special script ran that turned off the Windows Messenger service. So far, at least 15 million AOL users have had the feature turned off.

Mark Maiffret, chief hacking officer for network protection company eEye Digital Security, said: "That is definitely being proactive about security. You can't really knock them for that."

But he wondered how far AOL would go, and how it would define a threat to it users in the future.

"Are they going to start disabling MSN Messenger because they think that it's a security vulnerability?" he said. "I don't know that an internet provider should be taking it upon themselves to modify their users' systems."

Robert Lemos writes for CNET News.com