RSSExploit Forces MSN Messenger Upgrade
By David Worthington | Published February 11, 2005, 8:38 PM
Security researchers from Core Security have devised a way to crash MSN Messenger without user interaction simply by selecting a specially crafted Portable Network Graphics (PNG) file as an avatar. In response, Microsoft has begun forcing users to upgrade their software before being able to sign in to its IM network.
The exploit stems from design flaws in a component file called "libpng" that enables the viewing of avatars. Worst still, the exploit has the potential to run arbitrary code on a user's system.
Core Security also stated in its advisory that the attack can pass undetected by front line security software such as host-based firewalls, antivirus and network intrusion utilities. Essentially, the victim would have no inclination that they were being targeted and could feasibly be used to spread the exploit to everyone on their contact list.
Microsoft released a bulletin covering the vulnerability late Thursday. The company initially opted to distribute a patch through its usual channels as an optional update, but willed to take "decisive action" after it learned that the exploit was in the wild.
Now, MSN Messenger will begin to force a mandatory upgrade before users can sign into the service. Effective late Thursday evening, clients must be updated to either version 6.2.0205 or the MSN Messenger 7 preview release.
Microsoft's internal security experts found that both Windows Media Player and Windows Messenger are affected as well, including Service Pack 2 versions.
Ive only had a few problems/issues/bugs with the 7.0 BETA, other than that its pretty much stable for me but sometimes the file transfer feature is buggy... other than that issue I think its all fine and they should just release 7.0 FINAL as scheduled.
Score: 0
|Why does the security bulletin say:
"If the Version number reads 6.2.205 or above the update has been successfully installed."
When the correct version is 6.2.0205
Idiots.
Score: 0
|"Why does the security bulletin say:
"If the Version number reads 6.2.205 or above the update has been successfully installed."
When the correct version is 6.2.0205
Idiots."
LMAO you need a life dude - seriously if that sort of thing upsets you....... daym.......
Score: 0
|Did it ever occur to you that maybe... just maybe... they might release other newer versions in the future that might also include the fix?
Messenger 7.0 Betas are NOT vulnerable either, which explains why 6.2.0205 OR LATER is an accurate statement.
Score: 0
|he didnt say it upset him, just asked a reasonable question is all. since they brought it up I am curious as well :) is it just another instance of shoddy coding in the halls of microsoft?
Score: 0
|I wish they would just quit taking so long to release 7.0.
It's taking forever and a day to get from 6.2 to 7.0.
Come on. With a company that size they should be able to release a new version in like 3 months.
Score: 0
|Have you ever thought maybe they take time because theyre working on so many projects at the same time? and I think their main target is Longhorn... MAYBE... im not an expert... i guess :D
Score: 0
|I would say that the content of the aritcle answers the question... Why so long? They are also integrating VOIP and Media solutions that you might not use. But, many, many will.
Score: 0
|Yeah but they have many project divisions for that. Longhorn has it's own team working on it.
I think it's taking so long because they're checking it for bugs because they don't want any more of them since every time one pops up everyone makes a huge deal about it.
Score: 0
|yes
maybe
Score: 0
|You mean do an Apple and release a new version every couple of weeks?! Introduces more new bugs rather than fixing old bugs
Score: 0
|There are only minor bugs in 7.0 preview, but thats what is stopping a final release.
Also the video (webcam) technology currently used is extremely old and inefficient. *Perhaps* (conspiracy only) they are working on that for 7.0 final. I dont know what will happen to 5.0 users though.
Score: 0
|or perhaps they are just dragging their feet as they always do? :) mayhap so that they can claim they did much but actually did little :)
Score: 0
|ya know what just occurred to me? according to the concent decree handed down by the justice department, longhorn is run from ms's os division whereas messenger is handled under ms's software division...
but wait.. that would imply that microsoft was actually complying with the supreme court ruling... we all know they arent :) never mind
Score: 0
|Or maybe it is low on thier list of priorities because it is a free service as opposed to something someone is paying for
Score: 0
|Maybe they actually want a final version 7.0 to not have this sort of problem after its release. Hey, if they released it today, and Friday a new virus spread using a vulnerabillity, people would cry about that too: "If only MS would fully test software before releasing it", or whatever. No product is perfect, but MS has a tough job of perfecting software just enough for a final release without releasing a flawed program and without taking so long to perfect that everyone complains.
Score: 0
|