Thursday, September 3, 2009

WMP & Outlook Express on Win2k3 - Why?

I recently attempted to harden a Windows 2003 standard installation. I was surprised to see Outlook Express and Windows Media Player (WMP) installed by default, specially considering the poor security track record of Outlook Express and WMP.

What was more shocking to me was the fact that Microsoft does not offer any option to easily remove these via Add/Remove program. Instead, Microsoft suggests a very convoluted method to get rid of Outlook Express and none for WMP.

I fail to understand the reasoning behind:
  1. offering Outlook Express and WMP as default options.
  2. lack of easy uninstallation.
  3. increasing your threat surface by including such historically vulnerable pieces of software.
  4. the purpose of a mail client and media player on a server class operating system.
I did not want to risk destabilizing the system, so I left Outlook Express and WMP alone. I also applied the three critical updates suggested by Microsoft.
  • MS07-034: Cumulative security update for Outlook Express and for Windows Mail
  • MS08-048: Security update for Outlook Express and Windows Mail
  • MS06-078: Vulnerability in Windows Media Format could allow remote code execution

1 comment:

  1. Hardening a Windows server can be a pain, and identifying and disabling unnecessary, independent services can be a hit-or-miss proposition.

    Fortunately, with regard to OE and WMP, you could simply delete (or rename) the EXEs, which doesn't "break" anything, per se, and should lower the attack surface by preventing their execution. This fix might not stand up to Windows Updates, though, which could possibly re-create the EXE files when a new patch is released. Of course, you could also opt to not update those apps during Windows Updates, or you could run a script that checks for and renames the files on a regular basis.

    I agree these (and others) should be much easier to remove. The difficulty of their removal is a big part of why Microsoft keeps running afoul of anti-trust regulators, and even the randomized ballot-box selection of browsers doesn't remove anything from the system, it just changes a default app.