Microsoft: Upgrade Messenger or else

Windows Live Messenger mandatory upgrade will patch development code vulnerability

Microsoft will force an upgrade on users of its Windows Live Messenger instant messaging software in September to plug a hole the company introduced when a programmer added an extra character to a code library.

Starting in mid-September, users of Messenger 8.1 and 8.5 will be required to upgrade to Messenger 14.0.8089 if they want to use Microsoft's instant messaging service, the company announced in a blog posted last Thursday .

Optional upgrade offers have already started reaching Messenger 8.1 and 8.5 users, Microsoft said.

The timeline for people running a build of Messenger 14 is different. Mandatory upgrades to Messenger 14.0.8089 will begin in late October, while upgrade offers will be sent at the beginning of that month.

"It will take several weeks for the upgrade process to be completed, as the upgrade will be rolled out to customers over the course of several weeks," Microsoft said.

Microsoft also encouraged users to proactively upgrade by manually downloading the newest version of Messenger from the service's site.

Although Messenger 14 includes several new features and a revamped interface, Microsoft's making the upgrade mandatory because of a flaw inherited from a buggy Microsoft code "library" -- Active Template Library, or ATL -- used by programmers in the IM client's development.

In late July, Microsoft acknowledged that the vulnerability introduced in software crafted using ATL was due to a one-character typo : an extra "&" symbol to be exact.

On July 28, Microsoft issued a pair of emergency patches to crush the ATL bug in Internet Explorer and Visual Studio, the company's popular development platform. On Aug. 11, as part of its regularly-scheduled monthly security update, Microsoft patched five more ATL flaws in several company-made components.

Windows Live Messenger was not among the programs named in MS09-037 , the accompanying security bulletin, however. Previously, Microsoft said it might take months for it to go through the code of all its software to determine which was affected by the ATL bug.

Last week, Microsoft revised the security advisory for the ATL vulnerabilities to add a section on Messenger. In the alert's FAQ, the company made clear that the upgrade was mandatory. "If you do not accept the upgrade, you may not be allowed access to Windows Live Messenger service," the advisory read.

The Messenger upgrade will not be pushed to users via Windows Update, the normal patch distribution service. "Microsoft currently issues upgrades for the Windows Live Messenger client using the Windows Live Messenger service because these online services have their own client deployment mechanism," Microsoft said. Nor will users running any version of Windows older than XP be required to upgrade. Unless they upgrade on their own, those people will continue using the vulnerable software.

Mandatory Messenger upgrades are nothing new. Nearly two years ago, Microsoft did the same thing -- again because of a security vulnerability -- when it forced users to update to Windows Live Messenger 8.1.

But some users reacting to last week's announcement took the opportunity to knock the upgrade. "So now you're forcing us to upgrade to something that's horribly broken?" said a user identified as "hemingray" in a comment to the blog. "No thanks. I'll always use 8.5, don't care what frigging exploits it has."

"I have stayed with 8.5 to retain sharing folders, which I rely upon," added someone labeled "Sam Toucan" in the same comment thread. "Put sharing folders in and I'll be happy. Else, leave me be with 8.5!"

Join the CSO newsletter!

Error: Please check your email address.

Tags msnMicrosoftmessengerWindows Live

More about ATLMessengerMicrosoftWindows Live

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place