September 1st, 2009
Microsoft to push 'mandatory' Live Messenger security patch
Microsoft plans to force a mandatory Windows Live Messenger upgrade later this month to fix a security problem that exposes Windows users to remote code execution attacks.
The security issue, caused by an extra character in the Microsoft Active Template Library (ATL), affects users of Windows Live Messenger 8.1 and 8.5 on Windows XP, Windows Vista and Windows Server 2008.
From Microsoft’s Messenger Says blog:
The upgrade process will take place in a phased approach over the next several weeks:
First Phase, Optional Upgrade:
The optional upgrade will happen in two stages:
Starting Aug. 25, customers using versions 8.1 or 8.5 were asked to upgrade their client.
Starting early Oct., all customers using versions 14.0 (but not the latest release 14.0.8089) will be asked to upgrade their client.
The upgrade at this time is optional. Customers who haven’t upgraded during the optional phase will be required to do so during the second phase.
Second Phase, Mandatory Upgrade:
The mandatory upgrade will happen in three stages:
Starting mid-Sept., all customers using Messenger 8.1 or 8.5 will be required to upgrade their version of Windows Live Messenger.
Starting late Oct., all customers using Messenger 14.0 will be required to upgrade their version of Windows Live Messenger.
To ensure that we are protecting customers, those who do not administer the upgrade will not be able to sign in to Messenger after this time.
More details on the Microsoft ATL vulnerabilities can be found in this security advisory.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
