Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft to push 'mandatory' Live Messenger security patch

By Ryan Naraine | September 1, 2009, 10:23am PDT

Summary

Microsoft plans to force a mandatory Windows Live Messenger upgrade later this month to fix a security vulnerability that exposes Windows users to remote code execution attacks.

Topics

Microsoft Windows Live Messenger, Microsoft Windows Live, Microsoft Corp., Microsoft Windows, Operating Systems, Security, Software, Ryan Naraine

Blogger Info

Ryan Naraine

Biography

Ryan Naraine

Ryan Naraine
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Dancho Danchev

Biography

Dancho Danchev

Dancho Danchev
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
Vendor HotSpot
Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Microsoft plans to force a mandatory Windows Live Messenger upgrade later this month to fix a security problem that exposes Windows users to remote code execution attacks.

The security issue, caused by an extra character in the Microsoft Active Template Library (ATL), affects users of Windows Live Messenger 8.1 and 8.5 on Windows XP, Windows Vista and Windows Server 2008.

From Microsoft’s Messenger Says blog:

The upgrade process will take place in a phased approach over the next several weeks:

First Phase, Optional Upgrade:
The optional upgrade will happen in two stages:
Starting Aug. 25, customers using versions 8.1 or 8.5 were asked to upgrade their client.
Starting early Oct., all customers using versions 14.0 (but not the latest release 14.0.8089) will be asked to upgrade their client.
The upgrade at this time is optional. Customers who haven’t upgraded during the optional phase will be required to do so during the second phase.

Second Phase, Mandatory Upgrade:
The mandatory upgrade will happen in three stages:
Starting mid-Sept., all customers using Messenger 8.1 or 8.5 will be required to upgrade their version of Windows Live Messenger.
Starting late Oct., all customers using Messenger 14.0 will be required to upgrade their version of Windows Live Messenger.
To ensure that we are protecting customers, those who do not administer the upgrade will not be able to sign in to Messenger after this time.

More details on the Microsoft ATL vulnerabilities can be found in this security advisory.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

More from “Zero Day”

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion

Talkback Most Recent of 9 Talkback(s)

  • More details on the Microsoft ATL vulnerabilities
    I am sure that this vulnerability is only for Windows XP. We have been assured by the Windows experts on this site that Windows Vista and 7 are very secure. So It could not affect them.
    ZDNet Gravatar
    gertruded
    09/01/2009 11:30 AM
  • Existence of security patches means an OS isn't secure?
    Can you please explain how the existence of a security patch proves that the OS it targets is not secure?
    ZDNet Gravatar
    NonZealot
    09/01/2009 11:56 AM
  • He cannot, because there is no link between security patches
    and an OS being insecure or not secure. The
    fact is that security patches simply mean that
    the developers made an 'oops' while coding,
    usually not even realizing that and they have
    to push out a patch to fix that problem.

    People are expecting TOO FREAKING MUCH from
    Microsoft and other OS makers. They are
    expecting them to basically code all software
    'perfectly'. I am sorry, but they are not
    machines, and they are going to make mistakes.
    ZDNet Gravatar
    Lerianis10
    09/01/2009 08:01 PM
  • That's the line you push for every OS X patch
    Every time a patch for OS X is released, you loudly proclaim that it is
    yet more evidence of its poor security.

    So finally you admit that patches, per se, are not evidence of poor
    security.

    I think I'll bookmark your post, firstly because I'll reference it every
    time I see you trot out your anti-Apple bile. Secondly, because your
    reply to this post, which will undoubtedly try to justify your position,
    will almost certainly be a triumph of contorted logic.

    ZDNet Gravatar
    Fred Fredrickson
    09/02/2009 06:30 AM
  • RE: Microsoft to push 'mandatory' Live Messenger security patch
    Now all they need to do is GIVE US GPO SUPPORT for Live Messenger, PLEASE!

    They encourage Windows Messenger users to upgrade. They distribute Live with new business-class computers (OEM's fault) and leave IT hanging with no way to control the security and experience through GPO. My only choice is to license a 3rd party app to get some limited GPO support.

    This is no longer a app for the home MS. Help IT out here!
    ZDNet Gravatar
    djmik
    09/01/2009 12:36 PM
  • Live Messenger is meant for home use
    NOT for business use, so don't expect them to do
    that anytime soon.

    You are right that it is the OEM's fault for
    including Windows Live Messenger on systems when
    Microsoft specifically says it is ONLY for home
    usage.
    ZDNet Gravatar
    Lerianis10
    09/01/2009 08:04 PM
  • RE: Microsoft to push 'mandatory' Live Messenger security patch
    I have tried several times to do this mandatory udgrade.........after install messenger will not open, causes and error of an undisclosed nature and microsoft ccloses it. I meet all requirements, install as directed and it has failed several times, so I remove it and return to a previous version....I can't find any helpt from microsoft for this.........so what?? soon I simply will not be able to use this program??
    ZDNet Gravatar
    Laura42773@...
    09/03/2009 05:16 AM
  • Interesting Approach
    MS doesn't usually bully people into upgrades. When there is a real security problem and no ulterior motive of the manufacturer, I'm okay with this voluntary and then mandatory phase in.
    ZDNet Gravatar
    melekali
    09/03/2009 06:46 PM
  • Of course...
    ...patc hes are not indicative of poor security. Macs are insecure because they are a small target and have not really had to do any defending. This huge attack vector has made MS the butt of jokes and attacks, but has hardened them far more than apple.
    ZDNet Gravatar
    melekali
    09/03/2009 06:49 PM

Talkback - Tell Us What You Think

advertisement

Get it the way you want it

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
advertisement