Alert: Microsoft Tries To Head Off MSN Messenger Attack - InformationWeek
05:49 PM

Alert: Microsoft Tries To Head Off MSN Messenger Attack

To head off a widespread, invisible attack, Microsoft Friday went proactive, locking out all accounts and making updates mandatory for users of its vulnerable MSN Messenger.

Microsoft Friday locked out all users of its vulnerable instant messaging client, MSN Messenger, in an attempt to prevent an exploit from invisibly sweeping through PCs running the software.

The move came just three days after Microsoft first disclosed a vulnerability in MSN Messenger, and the security firm that discovered the flaw posted proof-of-concept code. That proof-of-concept, Microsoft claimed, was then used by another, unnamed individual, to create a working exploit.

"Microsoft wants customers to be aware that exploit code is now public and urges them to patch their systems," a company spokeswoman said in an e-mail.

To prevent a widespread attack, Microsoft went proactive and made updates mandatory for MSN Messenger users.

"We have restricted access to the MSN Messenger service to updated versions only," Microsoft wrote in a security bulletin posted on its Web site Friday. "Users who try to sign in with outdated versions are automatically prompted to update their software."

Users with a version of MSN Messenger earlier than 6.2.0205 must update to that edition, or the beta of MSN Messenger 7.0, before they're able to log on.

The vulnerability is insidious, according to Boston-based Core Security Technologies, the company that uncovered the bug and first alerted Microsoft in August 2004.

All that's necessary to trigger a buffer overflow vulnerability in a computer running MSN Messenger is a specially-crafted buddy icon, Core claimed. Once the buffer overflow's generated, the hacker could "surreptitiously take over machines running the instant messaging software. The attack would travel through the established chat session and would pass unnoticed by firewalls, network intrusion detection systems, and even host-based personal firewalls and anti-virus software."

"This is a critical security flaw since it directly affects more than 130 million users and because the attack is very likely to go unnoticed by the several layers of security countermeasures commonly used today," said Ivan Arce, the chief of technology at Core, in a statement earlier this week.

Microsoft blasted Core for publishing proof-of-concept code on its Web site Tuesday, the same day Microsoft made public the flaw and urged users to update MSN Messenger. Core's proof-of-concept included a malformed image file that would compromise vulnerable PCs.

"Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk," it said in the advisory.

"This kind of action really is not good for customers and goes against industry standards," the spokeswoman said.

Besides blocking vulnerable versions of MSN Messenger, Microsoft also updated its instructions for both individuals and enterprises on protecting systems from the exploit.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Don't Collect Biometric Data Without Providing Notice
Lisa Morgan, Freelance Writer,  2/1/2019
AI and the Next Recession
Guest Commentary, Guest Commentary,  1/24/2019
The Title Machine Learning Engineer Will Start to Disappear
Guest Commentary, Guest Commentary,  2/7/2019
Register for InformationWeek Newsletters
Current Issue
Security and Privacy vs. Innovation: The Great Balancing Act
This InformationWeek IT Trend Report will help you better understand and address the growing challenge of balancing the need for innovation with the real-world threats and regulations.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll