May 9th, 2002, 10:12 PM
MSN Flaw (Again)
- Users of the latest versions of Microsoft's popular MSN Messenger program are vulnerable to computer hackers, the company warned on Wednesday.
The "critical" flaw in the Internet-based program, which has millions of users, is the latest serious security flaw to be discovered in a program from the world's dominant software company.
Microsoft said hackers could exploit the vulnerability to run their own malicious commands on a user's computer.
Affected is a feature that allows users to gather in a single virtual location or "chat room" to exchange messages across the Internet in near real time.
The affected software includes Microsoft MSN Chat Control, Microsoft MSN Messenger versions 4.5 and 4.6, and Microsoft Exchange Instant Messenger 4.5 and 4.6.
Microsoft has been trying to make inroads into the market, which is dominated by AOL's Instant Messenger.
The vulnerability was discovered as Microsoft undergoes an intensive companywide campaign to stamp out security problems, an effort ordered by chairman and chief software architect, Bill Gates (news - web sites).
The Redmond, Wash.-based software maker issued a critical security bulletin to users advising them to upgrade by visiting an MSN Chat site and downloading an upgraded new chat control, or by upgrading on the site to the latest version of MSN Messenger or Exchange Instant Messenger.
The company said that to its knowledge no user had been hacked via the flaw, Microsoft Security Program Manager Christopher Budd said, though he cautioned users not to be complacent about downloading the upgrades.
The chat control feature is not automatically included in Windows Messenger, which is installed with the XP version of Windows, Microsoft's flagship operating system.
Budd said it is automatically included only in the two latest versions of MSN Messenger, which has some 46 million users. The first of those versions was released last October.
Microsoft was informed of the flaw by a security firm about a month ago but did not disclose it until late Wednesday because it was developing the fixes or "patches" for customers to download, Budd said.
"Software always will have flaws," Budd said. "We always do our best to ensure we do not have flaws or vulnerabilities, but while we strive for perfection, we know we're not always going to achieve perfection."
Gates announced a "Trustworthy Computing" initiative in January after a series of embarrasing security incidents involving Microsoft software that prompted criticism the software giant had been giving security short shrift as it piled new feature upon new user-friendly feature in its operating systems.
The most serious was a vulnerability affecting a Web server program included in corporate Windows operating systems.
That flaw could let a hacker take over someone else's server.
Like the Web server flaw, the newest vulnerability was caused by what is known as a "buffer overflow problem."
Buffer overflows occur when software is programmed to accept information but not given the ability to validate or limit it. That allows hackers to send commands that an operating system is not expecting but that end up in a computer's memory and are executed.
In February, Microsoft warned of an unrelated flaw in MSN Messenger that could allow a hacker to gain access to screen names and e-mail addresses.
God it sux being them....
May 9th, 2002, 10:18 PM
Say it ain't so... buffer overflow... "Security is our main focus, of course we need REALLY strong glasses." -BG
America - Land of the free, home of the brave.
May 9th, 2002, 10:30 PM
May 10th, 2002, 01:55 AM
yeah, lol forgot that. Hope you guys didn't think I wrote that myself :P Also I got it from yahoo.com btw lol! btw, nice avatar k1ll!
May 10th, 2002, 03:37 AM
and this flaw iz MUCH greater since Microsoft has put MSN messenger on EVERY computer running WINDOZE XP. The worse part about MSN messanger being on the system iz u can't uninstall it!
[glowpurple]\"Your Smallest Flaw is my greatest Strength.\" - Me[/glowpurple]
May 10th, 2002, 05:29 AM
aaakk thanks for the heads up.. im wondering.. would i be able to download MS Updates and patches with my Opera??? hahaha
May 10th, 2002, 10:22 AM
and you were all surprised...
May 10th, 2002, 11:59 AM
Hmm.. Im not being a jerk here.. but shouldnt this go to the "Microsoft Security Discussion" section? i mean. there are lots of unorganized threads here in General Chit Chat.. and it would be better if this thread was moved to MS Security Discussion section so it would be properly cataloged for future reference..
but thats just my 2c..
May 10th, 2002, 03:38 PM
sOnIc> Yeah this is supposed to be in microsoft security, but at least he didn't put it in unix security or something
Confirmed_Kill> Did you change your avatar? It stopped blinking like an evil bastard on my computer....
\"Ignorance is bliss....
but only for your enemy\"
May 11th, 2002, 03:22 AM
I admit I should have put it on that forum instead. Sorry.....