Microsoft: Upgrade Messenger or else
- 01 September, 2009 08:01
- Comments
Microsoft will force an upgrade on users of its Windows Live Messenger instant messaging software in September to plug a hole the company introduced when a programmer added an extra character to a code library.
Starting in mid-September, users of Messenger 8.1 and 8.5 will be required to upgrade to Messenger 14.0.8089 if they want to use Microsoft's instant messaging service, the company announced in a blog posted last Thursday .
Optional upgrade offers have already started reaching Messenger 8.1 and 8.5 users, Microsoft said.
The timeline for people running a build of Messenger 14 is different. Mandatory upgrades to Messenger 14.0.8089 will begin in late October, while upgrade offers will be sent at the beginning of that month.
"It will take several weeks for the upgrade process to be completed, as the upgrade will be rolled out to customers over the course of several weeks," Microsoft said.
Microsoft also encouraged users to proactively upgrade by manually downloading the newest version of Messenger from the service's site.
Although Messenger 14 includes several new features and a revamped interface, Microsoft's making the upgrade mandatory because of a flaw inherited from a buggy Microsoft code "library" -- Active Template Library, or ATL -- used by programmers in the IM client's development.
In late July, Microsoft acknowledged that the vulnerability introduced in software crafted using ATL was due to a one-character typo : an extra "&" symbol to be exact.
On July 28, Microsoft issued a pair of emergency patches to crush the ATL bug in Internet Explorer and Visual Studio, the company's popular development platform. On Aug. 11, as part of its regularly-scheduled monthly security update, Microsoft patched five more ATL flaws in several company-made components.
Windows Live Messenger was not among the programs named in MS09-037 , the accompanying security bulletin, however. Previously, Microsoft said it might take months for it to go through the code of all its software to determine which was affected by the ATL bug.
Last week, Microsoft revised the security advisory for the ATL vulnerabilities to add a section on Messenger. In the alert's FAQ, the company made clear that the upgrade was mandatory. "If you do not accept the upgrade, you may not be allowed access to Windows Live Messenger service," the advisory read.
The Messenger upgrade will not be pushed to users via Windows Update, the normal patch distribution service. "Microsoft currently issues upgrades for the Windows Live Messenger client using the Windows Live Messenger service because these online services have their own client deployment mechanism," Microsoft said. Nor will users running any version of Windows older than XP be required to upgrade. Unless they upgrade on their own, those people will continue using the vulnerable software.
Mandatory Messenger upgrades are nothing new. Nearly two years ago, Microsoft did the same thing -- again because of a security vulnerability -- when it forced users to update to Windows Live Messenger 8.1.
But some users reacting to last week's announcement took the opportunity to knock the upgrade. "So now you're forcing us to upgrade to something that's horribly broken?" said a user identified as "hemingray" in a comment to the blog. "No thanks. I'll always use 8.5, don't care what frigging exploits it has."
"I have stayed with 8.5 to retain sharing folders, which I rely upon," added someone labeled "Sam Toucan" in the same comment thread. "Put sharing folders in and I'll be happy. Else, leave me be with 8.5!"
Recommended
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
- Upgrade your Windows Live Messenger Service - Windows Live
- Essentials - Windows Live
- Extra '&' in Microsoft development code gave hackers IE exploit
- Microsoft rushes patches to fix 'big deal' programming flaw
- Microsoft patches 19 bugs in sweeping security update
- Microsoft Security Bulletin MS09-037 - Critical: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
- Microsoft Security Advisory (973882): Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution
- Microsoft to push mandatory Messenger upgrade
-
Why change management doesn’t work
-
Larry Page wants to see your medical records
-
Dual-Persona Smartphones Not a BYOD Panacea
-
After two-year hiatus, EFF accepts bitcoin donations again
-
CIOs struggle to deliver timely mobile business apps: survey
-
Vodafone Ireland Implements World-Class Service Excellence with HP BSM
Shane Gaffney, head of IT operations explain how HP Business Service Manager solutions have helped Vodafone to transform from a reactive to a proactive IT Operations function, and to align their priorities to match the business and drive business value, delivering 300% ROI in one year. Download today. -
Pathways Advanced ICT Leadership Development Program Course Outline and Big 6 2013
Developed by the CIO executive Council in conjunction with Rob Livingstone Advisory, Pathways Advanced is a 12-month CIO delivered, small group, mentor based professional leadership development program. Pathways Advanced brings together best practice, thought leadership and business insights for today’s most promising ICT professionals -
Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks
Enterprises and government agencies are under virtually constant attack today. It is clear that the cybercriminals, nation-states, and hacker activists waging these attacks are growing increasingly sophisticated and more effective in their efforts to steal and sabotage. Why are today’s security defenses failing? In this battle, your security teams are using outdated arsenal - download now to learn more.
Get exclusive access to Invitation only events CIO, reports & analysis. 
