Alert: Microsoft Tries To Head Off MSN Messenger Attack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
2/11/2005
05:49 PM
50%
50%

Alert: Microsoft Tries To Head Off MSN Messenger Attack

To head off a widespread, invisible attack, Microsoft Friday went proactive, locking out all accounts and making updates mandatory for users of its vulnerable MSN Messenger.

Microsoft Friday locked out all users of its vulnerable instant messaging client, MSN Messenger, in an attempt to prevent an exploit from invisibly sweeping through PCs running the software.

The move came just three days after Microsoft first disclosed a vulnerability in MSN Messenger, and the security firm that discovered the flaw posted proof-of-concept code. That proof-of-concept, Microsoft claimed, was then used by another, unnamed individual, to create a working exploit.

"Microsoft wants customers to be aware that exploit code is now public and urges them to patch their systems," a company spokeswoman said in an e-mail.

To prevent a widespread attack, Microsoft went proactive and made updates mandatory for MSN Messenger users.

"We have restricted access to the MSN Messenger service to updated versions only," Microsoft wrote in a security bulletin posted on its Web site Friday. "Users who try to sign in with outdated versions are automatically prompted to update their software."

Users with a version of MSN Messenger earlier than 6.2.0205 must update to that edition, or the beta of MSN Messenger 7.0, before they're able to log on.

The vulnerability is insidious, according to Boston-based Core Security Technologies, the company that uncovered the bug and first alerted Microsoft in August 2004.

All that's necessary to trigger a buffer overflow vulnerability in a computer running MSN Messenger is a specially-crafted buddy icon, Core claimed. Once the buffer overflow's generated, the hacker could "surreptitiously take over machines running the instant messaging software. The attack would travel through the established chat session and would pass unnoticed by firewalls, network intrusion detection systems, and even host-based personal firewalls and anti-virus software."

"This is a critical security flaw since it directly affects more than 130 million users and because the attack is very likely to go unnoticed by the several layers of security countermeasures commonly used today," said Ivan Arce, the chief of technology at Core, in a statement earlier this week.

Microsoft blasted Core for publishing proof-of-concept code on its Web site Tuesday, the same day Microsoft made public the flaw and urged users to update MSN Messenger. Core's proof-of-concept included a malformed image file that would compromise vulnerable PCs.

"Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk," it said in the advisory.

"This kind of action really is not good for customers and goes against industry standards," the spokeswoman said.

Besides blocking vulnerable versions of MSN Messenger, Microsoft also updated its instructions for both individuals and enterprises on protecting systems from the exploit.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Commentary
Is Cloud Migration a Path to Carbon Footprint Reduction?
Joao-Pierre S. Ruth, Senior Writer,  10/5/2020
News
IT Spending, Priorities, Projects: What's Ahead in 2021
Jessica Davis, Senior Editor, Enterprise Apps,  10/2/2020
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll