Re: MSN Messenger forced upgrade

From: Nick FitzGerald (nick_at_VIRUS-L.DEMON.CO.UK)
Date: 12/07/03

  • Next message: Russ: "Re: MSN Messenger forced upgrade" 
    Date:         Sun, 7 Dec 2003 12:14:38 +1300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Jason Clishe <jclishe@NUSOFTSOLUTIONS.COM> wrote:

    > Apparently Microsoft is forcing its MSN Messenger 6.1.01xx users to
    > upgrade to MSN Messenger 6.1.0203. The nature of this forced upgrade
    > smells suspiciously like some sort of security vulnerablity that they
    > don't want to announce. ...

    Perhaps an updated version of the exploit this post to Bugtraq

       http://www.securityfocus.com/archive/1/345223

    claimed was, in late November, being "activelly [sic] exploited in the
    wild"?

    > ... Most troubling is the nature in which Microsoft
    > handled this upgrade.

    Surprisingly to some, I will not comment on this...

    > [1] Apparently this upgrade must fix something relatively severe, if
    > Microsoft is taking steps to actively prevent version 6.1.01xx from
    > begin logged into the Messenger network.

    I imagine that normally an upgrade would only be "necessary" if they
    altered something (crucial) in the protocol. Has this happened? Has
    Cerulean released an update of Trillian? Is there a new GAIM to deal
    with this? (Seems not...)

    Perhaps MS is now (trying to be seen to be) acting pre-emptively?
    Rather than just announce "There is a critical security vulnerability
    in MSN Messenger v6.1.01xx that is fixed in the 6.1.0203 build --
    please upgrade" and then, weeks or months later millions of MSN users
    who did not upgrade become infected with some new worm, MS has decided
    to force the update (as much as it can) to avoid the potential furture
    bad press?

    Of course, MS is in a "damned if it does, damned if it doesn't" (there
    go dozens upon dozens of brain-dead content filters...) situation in
    such cases. If it doesn't do anything apart from release a patch, it
    is criticized in the future when a worm hits, and if it does force the
    patch now it is criticized for driving us further into the Orwellian
    nightmare...

    Personally, if there is a remotely exploitable arbitrary code execution
    bug in MSN Messanger, I'd prefer that all those millions of "I haven't
    got a clue about security" home and small business users get their
    versions forcibly patched. And, I prefer that even if it is a buggy,
    unstable release because removing such a vulnerability (especially if
    it seems some folk are actively looking for such holes in the product)
    improves the ecosystem as a whole. I'm sorry if that upsets someone's
    use of their computer, but there are alternative chat clients,
    protocols, and providers so if you (the generic end user "you", not the
    OP "you") really don't like MS forcing you to upgrade for the good of
    the net, go find other client software or another service where such
    forcible updates don't (currently) happen (and just hope your new
    provider has much more reliable software as I suspect that in the not
    too distant future forcible updates for all manner of such software
    will become more or less legally mandatory -- the (somewhat misguided
    IMNSHO) "we can fix the Internet with legislation" rot has, I feel,
    reached a point from which it may not be able to be turned back, but
    this is a whole other discussion we should have elsewhere...).

    Regards,

    Nick FitzGerald

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: Russ: "Re: MSN Messenger forced upgrade"