Re: MSN Messenger Users Be Sure To Read This
- From: "Jack Lowe" <akronjack1982@xxxxxxxxxxxxx>
- To: <jfw@xxxxxxxxxxxxx>
- Date: Sat, 12 Feb 2005 08:08:25 -0500
Thanks David, this was interesting. What's even more interesting is that
I've not had to upgrade anything with MSN. It's Saturday morning, and I've
been able to log in to MSN without being asked to upgrade to another
version. So, where's this alleged MSN upgrade that we all supposedly must
do before we can log on? Jack
----- Original Message -----
From: "david the wild-thing" <d.h.whitehead@xxxxxxxxxxxx>
To: "jfw-list" <jfw@xxxxxxxxxxxxx>
Sent: Saturday, February 12, 2005 7:51 AM
Subject: MSN Messenger Users Be Sure To Read This
> Hi, I no this is off topic, however, I think some people may find this
> interesting.
>
>
>>>> If you've been having problems logging on to MSN Messenger, be sure to
>>>> read this article.
>>>> Ryan Naraine - eWEEK
>>>> Microsoft Corp. on Friday lashed out at two security research firms for
>>>> publishing
>>>> proof-of-concept exploit code for MSN Messenger hours after Microsoft
>>>> for
>>>> the product.
>>>> In one instance, the software giant said malicious hackers have
>>>> modified
>>>> the
>>>> proof-of-concept
>>>> code into an exploit that puts millions of users at risk of code
>>>> execution
>>>> attacks
>>>> that require no user interaction.
>>>> Moving swiftly to blunt an attack, Microsoft has decided to push out
>>>> patched
>>>> versions
>>>> of MSN Messenger as a mandatory update. As of Thursday evening, users
>>>> of
>>>> the
>>>> popular
>>>> instant messaging client must update to MSN Messenger version 6.2.0205
>>>> or
>>>> the MSN
>>>> Messenger 7.0 beta before they are allowed to log on.
>>>> "When the vulnerability was announced this week we initially introduced
>>>> an
>>>> optional
>>>> upgrade and had plans to make the upgrade mandatory," a Microsoft
>>>> spokesperson said.
>>>> "But when we learned that detailed exploit code had been published on
>>>> the
>>>> Internet
>>>> we felt the need to take decisive action."
>>>> According to the exploit code seen by eWEEK.com, an attacker need only
>>>> load
>>>> a malicious
>>>> PNG (Portable Network Graphics) file as a buddy icon to launch an
>>>> attack
>>>> against
>>>> every MSN Messenger user on a buddy list.
>>>> Core Security Technologies, the research company that found and
>>>> reported
>>>> the
>>>> flaw,
>>>> confirmed that the published exploit code could be used to launch blind
>>>> attacks.
>>>> "The target doesn't even have to communicate with the attacker. Once
>>>> the
>>>> attacker
>>>> has the target's MSN Messenger contact on his contact list, he can
>>>> launch an
>>>> attack
>>>> without the target even knowing," said Max Caceres, director of product
>>>> management
>>>> at Core Security.
>>>> Even worse, Caceres told eWEEK.com that the attacker could take control
>>>> of
>>>> the infected
>>>> machine and change the target's display to replicate the attack against
>>>> everyone
>>>> on that buddy list.
>>>> "This could lead to a massive, widespread attack unless all MSN
>>>> Messenger
>>>> users apply
>>>> the upgrades," he said.
>>>> Microsoft late Thursday released a to warn customers of the risk. The
>>>> company also
>>>> provided in a separate notice for both consumer and enterprise MSN
>>>> Messenger
>>>> users.
>>>> Microsoft pinned the blame for the exploit code squarely on the
>>>> shoulders of
>>>> Core
>>>> Security, alleging that the public exploit is based on proof-of-concept
>>>> code
>>>> released
>>>> by the Mass.-based information security firm.
>>>> [Core Security] published proof-of-concept code on the Internet the
>>>> same
>>>> day
>>>> Microsoft
>>>> issued Security Bulletin MS05-009 to resolve the issue. Since then, a
>>>> separate individual
>>>> has modified the posted code into exploit code," Microsoft said in a
>>>> strongly worded
>>>> statement.
>>>> "[T]he publishing of proof-of-concept code within hours of the security
>>>> updates being
>>>> made available has put customers at increased risk."
>>>> Caceres dismissed the Microsoft accusation and pointed out that
>>>> engineers at
>>>> Core
>>>> Security worked closely with Microsoft since reporting the
>>>> vulnerability
>>>> in
>>>> August
>>>> 2003.
>>>> "We worked with Microsoft for six months to develop this patch. We
>>>> waited
>>>> until they
>>>> released the fix before we published our advisory," Caceres said,
>>>> arguing
>>>> that it
>>>> is common procedure to provide proof-of-concept code to let businesses
>>>> determine
>>>> whether their systems are secure.
>>>> Core Security's contained a ZIP-compressed image of a malformed PNG
>>>> file
>>>> that was
>>>> intended to allow MSN Messenger users to check to see if they were
>>>> vulnerable.
>>>> "We're in the business of getting people to understand how secure their
>>>> systems are
>>>> and to help them test to see if they are vulnerable. Our
>>>> proof-of-concept is
>>>> used
>>>> for those tests. It is not to be used by an attacker to arbitrarily
>>>> control
>>>> a target,"
>>>> Caceres said.
>>>> But Microsoft isn't buying that explanation. "A common practice among
>>>> responsible
>>>> researchers is to wait a reasonable period of time before publishing
>>>> such
>>>> code .
>>>> Microsoft is disappointed computer users were not given a reasonable
>>>> opportunity
>>>> to safeguard their computing environments."
>>>> As part of the new plan to make the upgrade mandatory, all MSN
>>>> Messenger
>>>> users who
>>>> attempt to log into the system with a vulnerable version of the client
>>>> will
>>>> be told
>>>> they need to upgrade in the coming days or they will no longer be able
>>>> to
>>>> use the
>>>> service with that vulnerable client.
>>>> MSN Messenger users running vulnerable clients will receive "toast"
>>>> warnings
>>>> about
>>>> the vulnerability and directed to a They will not be able to log into
>>>> the
>>>> Messenger
>>>> service until they accept that upgrade. MSN also plans to communicate
>>>> with
>>>> users
>>>> via security update via links on MSN properties and Web sites.
>>>> How to Protect Against an Exploit:
>>>> MSN Messenger users should make sure their Windows and MSN Messenger
>>>> software is
>>>> current with the released on Feb. 8. The latest versions of MSN
>>>> Messenger
>>>> can be
>>>> Alternatively, users can install an evaluation copy (beta release) of
>>>> the
>>>> new MSN
>>>> Messenger 7.0, which is not targeted by the exploit code.
>>>> Enterprise businesses should consider removing and blocking MSN
>>>> Messenger
>>>> from their
>>>> environments. If this is not feasible, they should make sure every
>>>> installed
>>>> version
>>>> of Windows and MSN Messenger is current with the latest security
>>>> updates.
>>>> MSN Messenger is not intended for corporate environments and Microsoft
>>>> recommends
>>>> uninstalling the client from a business network. Corporate clients
>>>> should
>>>> switch
>>>> to Windows Messenger, which is included with Windows.
>>>> Corporate users should also consider This can be done by blocking
>>>> outbound
>>>> access
>>>> to TCP port 1863 and blocking HTTP access to messenger.hotmail.com.
>>>> Check out eWEEK.com's for the latest security news, reviews and
>>>> analysis.
>>>> And for
>>>> insights on security coverage around the Web, take a look at eWEEK.com
>>>> Security Center
>>>> Editor
>
>
> --
> To post a message to the list, send it to jfw@xxxxxxxxxxxxx
> To unsubscribe from this mailing list, send a message to
> jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
> Archives located at: //www.freelists.org/archives/jfw
>
> If you have any concerns about the list, post received from the list, or
> the way the list is being run, do not post them to the list. Rather
> contact the list owner at jfw-admins@xxxxxxxxxxxxxx
--
To post a message to the list, send it to jfw@xxxxxxxxxxxxx
To unsubscribe from this mailing list, send a message to
jfw-request@xxxxxxxxxxxxx with the word unsubscribe in the subject line.
Archives located at: //www.freelists.org/archives/jfw
If you have any concerns about the list, post received from the list, or the
way the list is being run, do not post them to the list. Rather contact the
list owner at jfw-admins@xxxxxxxxxxxxxx
Other related posts:
