It is patch Tuesday and there is at least one critical that folks should probably pay attention to if they just plain run Windows.
http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx
Mailslots used to be used quite extensively on Windows and still are in use now. That messenger service, no not that MSN Messenger thing, the one that receives NET SEND messages uses a mailslot called \\.\mailslot\messngr. I wrote a program for Win9x forever ago (in the 90’s) that allowed Win9x machines to receive (but not send) the NET SEND aka Messenger messages so I did look at mailslots a little bit back then.
Things have changed and not as many things are using mailslots anymore but just because you have the messenger service shutdown on your machines don’t think you are safe (unless you have a personal firewall up and are actually blocking RPC traffic which is one of the first things people often open back up). There are other things using mailslots and you can find out yourself on a specific machine in a couple of ways. To find mailslots open right that second you can use handle.exe from sysinternals. A command like
handle -a | grep -i mailslot
will show you all mailslots currently open.
Here is an example of the messenger mailslot
G:\Temp>handle -a | grep -i mailslot
File STDIN:
 1574: File         \Device\Mailslot\messngr
However, just because one second you don’t have any mailslots open doesn’t mean you won’t the next second or the second after. These things are handled like files and have low overhead so are easy to open and close. If you know for sure you aren’t using mailslots, just fire up filemon (again from sysinternals.com) and tell it to only show mailslots. I did that on a Windows XP SP2 machine and on a Windows Server 2003 SP1 DC, both machines patched up to everything as of a week ago and both showed mailslot activity outside of the messenger service. It appears to be old NETLOGON type functions… The mailslot names are things like
These were mailslots that were being created and deleted on the fly. How much exposure does that give you? I don’t know, I haven’t done a comprehensive examination of it, I just happened to take a peek because I recall how heavily used MailSlots used to be used and I know that there is a lot of legacy code doing thing a lot of MSFT people aren’t aware of.
There is another critical but doesn’t have the same impact that I care about generally, it is with the DHCP Client service and involves sending specially formed bad responses to a client who sends DHCP requests. I am more of a server guy and you don’t usually set servers up to be DHCP clients, some people do, but I am not one of them except in very small test environments. If you care about DHCP issues check out
http://www.microsoft.com/technet/security/Bulletin/MS06-036.mspx
Â
If you want to see all of the bulletins check out
http://www.microsoft.com/technet/security/bulletin/ms06-Jul.mspx
Â
All of that just to say… TEST TEST TEST!, then PATCH PATCH PATCH!
 joe
Â
