Alert: Microsoft Tries To Head Off MSN Messenger Attack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:49 PM

Alert: Microsoft Tries To Head Off MSN Messenger Attack

To head off a widespread, invisible attack, Microsoft Friday went proactive, locking out all accounts and making updates mandatory for users of its vulnerable MSN Messenger.

Microsoft Friday locked out all users of its vulnerable instant messaging client, MSN Messenger, in an attempt to prevent an exploit from invisibly sweeping through PCs running the software.

The move came just three days after Microsoft first disclosed a vulnerability in MSN Messenger, and the security firm that discovered the flaw posted proof-of-concept code. That proof-of-concept, Microsoft claimed, was then used by another, unnamed individual, to create a working exploit.

"Microsoft wants customers to be aware that exploit code is now public and urges them to patch their systems," a company spokeswoman said in an e-mail.

To prevent a widespread attack, Microsoft went proactive and made updates mandatory for MSN Messenger users.

"We have restricted access to the MSN Messenger service to updated versions only," Microsoft wrote in a security bulletin posted on its Web site Friday. "Users who try to sign in with outdated versions are automatically prompted to update their software."

Users with a version of MSN Messenger earlier than 6.2.0205 must update to that edition, or the beta of MSN Messenger 7.0, before they're able to log on.

The vulnerability is insidious, according to Boston-based Core Security Technologies, the company that uncovered the bug and first alerted Microsoft in August 2004.

All that's necessary to trigger a buffer overflow vulnerability in a computer running MSN Messenger is a specially-crafted buddy icon, Core claimed. Once the buffer overflow's generated, the hacker could "surreptitiously take over machines running the instant messaging software. The attack would travel through the established chat session and would pass unnoticed by firewalls, network intrusion detection systems, and even host-based personal firewalls and anti-virus software."

"This is a critical security flaw since it directly affects more than 130 million users and because the attack is very likely to go unnoticed by the several layers of security countermeasures commonly used today," said Ivan Arce, the chief of technology at Core, in a statement earlier this week.

Microsoft blasted Core for publishing proof-of-concept code on its Web site Tuesday, the same day Microsoft made public the flaw and urged users to update MSN Messenger. Core's proof-of-concept included a malformed image file that would compromise vulnerable PCs.

"Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk," it said in the advisory.

"This kind of action really is not good for customers and goes against industry standards," the spokeswoman said.

Besides blocking vulnerable versions of MSN Messenger, Microsoft also updated its instructions for both individuals and enterprises on protecting systems from the exploit.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
7 Technologies You Need to Know for Artificial Intelligence
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2019
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Diversity in IT: The Business and Moral Reasons
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  6/20/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll