NEW YORK (11/06/2003) - The U.S. Federal Trade Commission (FTC) has filed suit against a company that allegedly exploited a vulnerability in Microsoft Corp.'s Windows system by using a feature intended for administrative alerts to barrage users with pop-up ads.
The tactic involved the Windows Messenger Service, a software feature distinct from Microsoft's similarly named MSN Messenger and Windows Messenger instant-messaging applications. The Messenger Service is part of the Windows XP and Windows 2000 operating systems, and allows network administrators to send messages to users, such as notifications about the status of print jobs.
The feature proved problematic as external parties figured out how hijack the Messenger Service and use it to send unsolicited information like ads to Internet-connected computers. The company targeted by the FTC, San Diego-based D Squared Solutions LLC, used Messenger Service to flash ads touting its pop-up blocking software, which it sold for US$25 to $30, according to the FTC's complaint.
Because D Squared created a problem specifically so it could sell a solution to the problem, its business model boiled down to, "I'll beat you and I'll stop beating you if you pay," said FTC Bureau of Consumer Protection Director Howard Beales during a press conference on Thursday. "We call that extortion, and it's not any different in the high-tech world," Beales said.
The FTC filed a sealed complaint against D Squared on Oct. 30 in the U.S. District Court for the Northern District of Maryland, which granted a temporary restraining order against D Squared. The complaint was unsealed Wednesday. It charges D Squared and two of its officers with unfair use of Windows Messenger Service and with unfair attempts to coerce consumers into purchasing D Squared's software.
Those officers could not be reached for comment.
The FTC seeks to prevent D Squared from advertising through Windows Messenger Service, and to bar it from selling to others the software it developed to take advantage of the service. The FTC also seeks to recover all of D Squared's revenue from its exploit. Beales said the FTC is still determining how much D Squared took in, but he estimated the total at several hundred thousand dollars.
Microsoft has already taken steps to address the unintended spam side-effects of its Windows Messenger Service. The company advises home users to disable the feature, and both Microsoft and the FTC have instructions posted on their Web sites on how to turn it off, at http://www.microsoft.com/WindowsXP/pro/using/howto/communicate/stopspam.asp and http://www.ftc.gov/bcp/conline/pubs/alerts/popalrt.htm. In an upcoming service pack, Microsoft plans to disable by default the Windows Messenger Service and to activate firewall software that can protect users from third-party intrusions on their system.
The FTC's Beales did not chastise Microsoft for the software vulnerability. When the problem arose, Microsoft responded appropriately by advising customers on how to fix it, he said. Beales encouraged consumers with broadband Internet connections to stay alert for software updates and patches, and to install hardware or software firewalls to help protect against attacks.
America Online Inc. (AOL) also took steps to address the Windows Messenger Service loophole, using a recent update of its software to disable the Windows feature on its subscribers' computers. One consumer targeted by D Squared turned to AOL for help in solving the problem after she grew frustrated by an onslaught of D Squared's ads.
"I was receiving these pop-up messages very frequently. At one point it seemed like they were appearing almost every 10 minutes on my screen," said Karen McKechnie, of Annandale, Virginia, during the FTC's press conference. She filed a complaint with the FTC and called AOL, which helped her disable the messaging service.
"My concern is that this should not be allowed. The people who are sending these messages are infringing on my rights and everyone else's rights to use your computer," McKechnie said.
Because the Messenger Service spam problem only affects Internet-connected computers running specific versions of Windows without a firewall, it wasn't as widespread an issue as other unsolicited advertising gluts, like e-mail spam. Still, at least one other company had licensed D Squared's software and used it to send ads, Beales said, indicating that further FTC actions could be forthcoming.
"We can't comment on investigations, but I would think that anybody that was using this (advertising) technology should pay attention today," he said. "What consumers ought to do now that they understand the problem is fix it. It's not hard to turn off."