Microsoft to push 'mandatory' Live Messenger security patch

The security issue, caused by an extra character in the Microsoft Active Template Library (ATL), affects users of Windows Live Messenger 8.1 and 8.5 on Windows XP, Windows Vista and Windows Server 2008.

From Microsoft's Messenger Says blog:

The upgrade process will take place in a phased approach over the next several weeks:

First Phase, Optional Upgrade: The optional upgrade will happen in two stages: Starting Aug. 25, customers using versions 8.1 or 8.5 were asked to upgrade their client. Starting early Oct., all customers using versions 14.0 (but not the latest release 14.0.8089) will be asked to upgrade their client. The upgrade at this time is optional. Customers who haven’t upgraded during the optional phase will be required to do so during the second phase.

Second Phase, Mandatory Upgrade: The mandatory upgrade will happen in three stages: Starting mid-Sept., all customers using Messenger 8.1 or 8.5 will be required to upgrade their version of Windows Live Messenger. Starting late Oct., all customers using Messenger 14.0 will be required to upgrade their version of Windows Live Messenger. To ensure that we are protecting customers, those who do not administer the upgrade will not be able to sign in to Messenger after this time.

More details on the Microsoft ATL vulnerabilities can be found in this security advisory.