Tuesday, June 22, 2004

MSN Messenger 6.2 Upgrade

I upgraded my MSN Messenger to the newest version today. The MSN site explained that there were security problems with their older versions that upgrading would fix. When I actually installed version 6.2, a screen from the installer gave me the option to install three "features." Good thing I was paying attention and unchecked the default options.



First off, the irony in offering a pop-up blocker for Internet Explorer (IE) is fairly striking. Why does the Redmond giant need users to install an add-on to their product through messenger to make it better? Why not just include the pop-up blocker with IE instead of trying to manipulate upgrading users into using it? The real question is, why didn't they include a pop-up blocker option with IE in the first place? I believe Microsoft thought blocking pop-up ads was bad for business. Advertisers might not like the fact that they can't sell you X10 cameras from every webpage you visit if your browser can easily block their ads. Not to mention the fact that Microsoft wouldn't want Internet Explorer blocking even their own Hotmail pop-ups. Is nothing sacred? I assume that it is Google's popularity (specifically the Google Toolbar - which, by the way, is excellent) that is signaling Microsoft that maybe now is the time to get on the ball and offer a product worth using.

Which brings me to the second "feature". Make MSN your default search engine. Why? So we can spend twice as long searching and then end up searching again on another site anyway? Google is the fastest, most reliable, and most entertaining search engine out there. Millions of people worldwide use it as their home page.

Which may be exactly why Microsoft has another default check in front of their third choice, "Make MSN Home your default home page." They want people to read their ads, use their search engine, and basically do everything Microsoft wants them to.

So was this upgrade specifically to fight off Google? Maybe, maybe not, but reading the Technical Description made me think that this mandatory upgrade isn't very mandatory at all.

And the nitty-gritty from their security bulletin site:
Technical description:

A security vulnerability exists in Microsoft MSN Messenger. The vulnerability exists because of the method used by MSN Messenger to handle a file request. An attacker could exploit this vulnerability by sending a specially crafted request to a user running MSN Messenger. If exploited successfully, the attacker could view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file.

To exploit this vulnerability, an attacker would have to know the sign-on name of the MSN Messenger user in order to send the request.

Mitigating factors:

  • An attacker must know the sign-on name of the user
  • If the user has blocked receiving messages from anonymous users not on their contact list by placing "All Others" in their block list, the attacker's messenger account must be on the user's allow list to exploit the vulnerability.
  • The attacker could access files that the user had read access to. If the user is logged into the computer with restricted privileges this would limit the files that the attacker could access.

It looks like this is a pretty minor vulnerabilty. Someone would really have to have it out for you - and know a lot of personal information before being able to exploit this bug.

On the other hand, there are a couple of noteworthy changes in this version. Mobile users now appear with a yellow avatar instead of the standard green, as well their is an option to create custom emoticons or use a selection of new animated MSN ones. The best new feature appears to be an option to create a share folder which makes it easier to share files with other users.

So despite my complaints my advice is this - unless you are completely satisfied with your current version, don't be shy; go ahead and upgrade. When you do, just remember to turn off the default checks for other MSN "features".

Comments: 2
(Permalink) 

Comments:
Why use MSN in the first place, and not Miranda :)
On the plus side, you can also blog right from Miranda :D
 
I was using Trillion, another similar messenger program that allows you to combine MSN, ICQ, Yahoo Chat, and AOL. I don't like it though because I only have one contact using anything other than MSN. As well I find it unreliable in transferring files. Not to mention I prefer the MSN interface. Once Google releases an instant messaging program I will likely use it exclusively. I just need to get all my MSN contacts to do the same (there aren't that many of them). Goodbye Microsoft; hello Google.
 





Read more in the Archives