MSN Messenger vulnerable to hackers

Posted: Thursday, May 23, 2002

SEATTLE -- Users of the latest versions of Microsoft's popular MSN Messenger program are vulnerable to computer hackers, the company has warned.

The ''critical'' flaw in the Internet-based program, which has millions of users, is the latest serious security flaw to be discovered in a program from the world's dominant software company.

Microsoft said hackers could exploit the vulnerability to run their own malicious commands on a user's computer.

Affected is a feature that allows users to gather in a single virtual location or ''chat room'' to exchange messages across the Internet in near real time.

The affected software includes Microsoft MSN Chat Control, Microsoft MSN Messenger versions 4.5 and 4.6, and Microsoft Exchange Instant Messenger 4.5 and 4.6.

Microsoft has been trying to make inroads into the market, which is dominated by AOL's Instant Messenger.

The vulnerability was discovered as Microsoft undergoes an intensive companywide campaign to stamp out security problems, an effort ordered by chairman and chief software architect, Bill Gates.

The Redmond, Wash.-based software maker issued a critical security bulletin to users late Wednesday, advising them to upgrade by visiting an MSN Chat site and downloading an upgraded new chat control, or by upgrading on the site to the latest version of MSN Messenger or Exchange Instant Messenger.

The company said that to its knowledge no user had been hacked via the flaw, Microsoft Security Program Manager Christopher Budd said, though he cautioned users not to be complacent about downloading the upgrades.

The chat control feature is not automatically included in Windows Messenger, which is installed with the XP version of Windows, Microsoft's flagship operating system.

Budd said it is automatically included only in the two latest versions of MSN Messenger, which has some 46 million users. The first of those versions was released last October.

Microsoft was informed of the flaw by a security firm about a month ago but did not disclose it until late Wednesday because it was developing the fixes or ''patches'' for customers to download, Budd said.

''Software always will have flaws,'' Budd said. ''We always do our best to ensure we do not have flaws or vulnerabilities, but while we strive for perfection, we know we're not always going to achieve perfection.''

Gates announced a ''Trustworthy Computing'' initiative in January after a series of embarrasing security incidents involving Microsoft software that prompted criticism the software giant had been giving security short shrift as it piled new feature upon new user-friendly feature in its operating systems.

The most serious was a vulnerability affecting a Web server program included in corporate Windows operating systems.

That flaw could let a hacker take over someone else's server.

Like the Web server flaw, the newest vulnerability was caused by what is known as a ''buffer overflow problem.''

Buffer overflows occur when software is programmed to accept information but not given the ability to validate or limit it. That allows hackers to send commands that an operating system is not expecting but that end up in a computer's memory and are executed.

In February, officials at Microsoft warned of an unrelated flaw in MSN Messenger that could allow a hacker to gain access to screen names and e-mail addresses.

Subscribe to Peninsula Clarion

Trending this week:


© 2018. All Rights Reserved. | Contact Us