Re: MSN Messenger forced upgrade

From: Vesselin Bontchev (bontchev_at_COMPLEX.IS)
Date: 12/08/03

  • Next message: Hobson, Bryan: "Re: SP4 Breaks Group Policies?" 
    Date:         Mon, 8 Dec 2003 10:38:05 +0000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    --On 07 December, 2003 12:14 +1300 Nick FitzGerald
    <nick@VIRUS-L.DEMON.CO.UK> wrote:

    > Jason Clishe <jclishe@NUSOFTSOLUTIONS.COM> wrote:
    >
    >> Apparently Microsoft is forcing its MSN Messenger 6.1.01xx users to
    >> upgrade to MSN Messenger 6.1.0203. The nature of this forced upgrade
    >> smells suspiciously like some sort of security vulnerablity that they
    >> don't want to announce. ...

    C'mon, folks, this issue is several months old. Microsoft started warning
    several months ago that this version of MSN Messenger had a security bug
    and that everybody was required to switch to a newer one within a few
    months. Apparently, the deadline has been reached and they have stopped
    supporting the old version. The only ones who are surprised are those who
    have ignored the warning and still haven't updated - i.e., who have been
    vulnerable so far.

    For instance, Microsoft's warning has been discussed on the Trillian
    message boards in August:

            <http://www.trillian.cc/forums/showthread.php?threadid=43649>

    >> ... Most troubling is the nature in which Microsoft
    >> handled this upgrade.

    What's so troubling about it? They warned the MSN Messenger users *months*
    ago. Now they are simply forcing the hand of the stragglers who *still*
    haven't upgraded. Would we rather have them running vulnerable versions?

    > I imagine that normally an upgrade would only be "necessary" if they
    > altered something (crucial) in the protocol. Has this happened? Has

    Yes.

    > Cerulean released an update of Trillian?

    Yes. Trillian 0.74 D can no longer connect to the MSN Messenger service -
    but version 0.74 F (released on October 9) can. Dunno about 0.74 E, but I
    think that even it incorporates the MSNIM-related patch.

    > Perhaps MS is now (trying to be seen to be) acting pre-emptively?

    They are simply forcing a security patch because they can. They (currently)
    cannot force all those users of unpatched Windows, IE, Office, etc.
    products to patch them - but since everybody who uses Messenger connects to
    machines Microsoft controls, they can force a security patch on them;
    pretty much like AOL does it on their users.

    > Personally, if there is a remotely exploitable arbitrary code execution
    > bug in MSN Messanger, I'd prefer that all those millions of "I haven't
    > got a clue about security" home and small business users get their
    > versions forcibly patched. And, I prefer that even if it is a buggy,
    > unstable release because removing such a vulnerability (especially if
    > it seems some folk are actively looking for such holes in the product)
    > improves the ecosystem as a whole. I'm sorry if that upsets someone's

    Exactly!

    Sigh... Did I just write a message defending what Microsoft has done? Gosh,
    I must be getting senile at my old age...

    Regards,
    Vesselin 

    --
Vesselin Vladimirov Bontchev, not speaking for FRISK Software International,
Postholf 7180, IS-127, Reykjavik, Iceland              producers of F-PROT.
e-mail: bontchev@complex.is, tel.: +354-540-7422, fax: +354-561-7274
PGP 2.6.2i key fingerprint: E5 FB 30 0C D4 AA AB 44  E5 F7 C3 18 EA 2B AE 4E
-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, *** covering, and bureaucracy are threatening to derail any
chance of making progress.
-----
  • Next message: Hobson, Bryan: "Re: SP4 Breaks Group Policies?"