Microsoft Friday locked out all users of its vulnerable instant messaging client, MSN Messenger, in an attempt to prevent an exploit from invisibly sweeping through PCs running the software.
The move came just three days after Microsoft first disclosed a vulnerability in MSN Messenger, and the security firm that discovered the flaw posted proof-of-concept code. That proof-of-concept, Microsoft claimed, was then used by another, unnamed individual, to create a working exploit.
"Microsoft wants customers to be aware that exploit code is now public and urges them to patch their systems," a company spokeswoman said in an e-mail.
To prevent a widespread attack, Microsoft went proactive and made updates mandatory for MSN Messenger users.
"We have restricted access to the MSN Messenger service to updated versions only," Microsoft wrote in a security bulletin posted on its Web site Friday. "Users who try to sign in with outdated versions are automatically prompted to update their software."
Users with a version of MSN Messenger earlier than 6.2.0205 must update to that edition, or the beta of MSN Messenger 7.0, before they're able to log on.
The vulnerability is insidious, according to Boston-based Core Security Technologies, the company that uncovered the bug and first alerted Microsoft in August 2004.
All that's necessary to trigger a buffer overflow vulnerability in a computer running MSN Messenger is a specially-crafted buddy icon, Core claimed. Once the buffer overflow's generated, the hacker could "surreptitiously take over machines running the instant messaging software. The attack would travel through the established chat session and would pass unnoticed by firewalls, network intrusion detection systems, and even host-based personal firewalls and anti-virus software."
"This is a critical security flaw since it directly affects more than 130 million users and because the attack is very likely to go unnoticed by the several layers of security countermeasures commonly used today," said Ivan Arce, the chief of technology at Core, in a statement earlier this week.
Microsoft blasted Core for publishing proof-of-concept code on its Web site Tuesday, the same day Microsoft made public the flaw and urged users to update MSN Messenger. Core's proof-of-concept included a malformed image file that would compromise vulnerable PCs.
"Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk," it said in the advisory.
"This kind of action really is not good for customers and goes against industry standards," the spokeswoman said.
Besides blocking vulnerable versions of MSN Messenger, Microsoft also updated its instructions for both individuals and enterprises on protecting systems from the exploit.