Some of the sites are asking you to pay some money using text messaging in order to receive a code to unlock a modified setup program of Messenger Plus!
Patchou, Messenger Plus! creator, has posted a thread on the Messenger Plus! forums warning users of this. Patchou recommends the following:
- Only download Messenger Plus! from the official site, which is msgpluslive.net or its localized language domains. The official site will never ask you to pay for Messenger Plus!
- Check the setup files digital signature, which can be found by right clicking the setup file and selecting properties, it should be signed by "Patchou" with a VeriSign Class 3 certificate. If it doesn't, it was not approved by Patchou, therefore shouldn't be trusted. A screenshot of what the digital signature should look like can be seen here.
View: Patchou's post in full Official download: Messenger Plus! Live
The FBI have even warned about a virus going around, and have issued a press statement about the Storm Worm. It says:
If you unexpectedly receive a Valentine's Day e-card, be careful. It may not be from a secret admirer, but instead might contain the Storm Worm virus.
The Storm Worm virus has capitalized on various holidays in the last year by sending millions of e-mails advertising an e-card link within the text of the spam e-mail. Valentine's Day has been identified as the next target.
Just remember; be careful, don't click on any suspicious links contacts send you within Messenger and don't accept file downloads unless you know what they are.
Source: mess.be View the press release by the FBIon Mon 22 Oct 2007 (20:44 GMT) (1716 views)
The email mainly focused on making sure only your contacts can see your current status, protecting you from inaccurate block checkers and stopping 3rd party services knowing your IM habits. The message also promoted using a free trail of Windows Live OneCare and gave a small link on pishing websites. This is just a small part of Microsoft's new wave of protecting its users against viruses and ensuring their personal data is kept safe.
I know, news is rather slow.
View the email sent to Windows Live usersAgain this is only a risk if you accept sharing folders with people you do not trust and there is no known virus spreading:
The attacker can 'Create a sharing folder' for its victim and then put the malformed file into the physical location of that folder on his hard drive (My Computer > My Sharing Folders > victim@hotmail.com). Note that if the attacker would drag & drop the file directly into the Messenger window, his own client would crash. Considering that the victim has accepted the sharing folder, the attacker can simply click the sharing icon to crash Windows Live Messenger, or even Windows XP entirely when the process isn't terminated in time. The victim then needs to delete the sharing folder entirely to cease the exploitation.
The vulnerability was discovered on the 20th of August 2007 and reported to Microsoft on the 23rd. The company responded one day later that it will address the issue in 'the next service pack'. Although there have been no reports yet of actual exploitation via this method, you should note that in order to protect yourself you should avoid sharing folders with contacts you don't trust.
Nevertheless Microsoft are tough on security flaws, let's just hope there are no stupid decisions this time around.
Source: mess.beIn the second phase, we are turning on the Mandatory Security Upgrades for Windows 2000, Windows 98, Windows 98 SE, and Windows ME. As noted in the security bulletin, we have built a new version of MSN Messenger 7.0, build number 7.0.0820, that will run on Windows 2000. This version of MSN Messenger has also been tested for Windows 98, Windows 98 SE, and Windows ME. Users should expect these upgrades to start soon.
To recap, the set of Messenger clients that do not have the webcam security vulnerability are:
- Windows Live Messenger 8.1 (for XP and Vista)
- MSN Messenger 7.0.0820 (for Windows 2000 and Windows 98, SE, ME)
- Windows Messenger – all versions (XP only)
- MSN Messenger 5.0 for Windows 95.
- Microsoft Messenger for Macintosh (all versions)
What I find interesting is that Microsoft are still forcing the update despite the high amount of criticising comments left on the MessengerSays blog.
I see threads about this issue in Messenger forums regularly and Salem has provided an interesting summary of the problem:
I've just come across website(s) which actually charge you to download Freeware (freely available) software. Take CryptoSoft.com for example. CryptoSoft charges £6 (approx US$12.12 or 8.88 euros) for a single download of software such as MessengerPlus! Live, Windows Live Messenger, Yahoo! Messenger, Skype and more, all of which are available as FREE downloads. CyrptoSoft even charges you to download Open Source software like Mozilla's Firefox & Thunderbird.
So, what does CryptoSoft.com do? Once you click on the 'Download' button you are asked to send a text (SMS) message with a given prefix to a designated number. Each text message costs you £2, and there are a total of three text messages involved in completing a purchase (£2 x 3 = £6).
Now there's nothing wrong with freely distributing freeware, but the problem comes in when you actually charge people for the free software you're giving them, which is illegal.
When looking for a software always download from official sources (the official product website). If however you find a (third-party) site wants to charge you for downloading, use you're trusty friend Google (or any other search engine) to have a look at the official website to see if there are any costs involved in downloading.
Unfortunately these websites are becoming incredibly popular. They prey on young minds who may own a mobile phone and thus making it a convenient way to pay. You just have to look how much people spend on ringtones via similar techniques, so this may in fact seem a good deal, when in reality people are getting scammed.
Windows Live Messenger is seen as a resource hogging, new designed, new branded MSN Messenger and people don't seem to like it. Many people stick with MSN Messenger for a variety of reasons as Windows Live Messenger may have compatibly issues or people simply don't like change.
MessengerSays, the official development blog of Windows Live Messenger has posted about the forced update three times now. They are addressing problems and listening to feedback. Nevertheless, there seems no sign that the team will reverse their decision.
The ionic thing about this was Microsoft forced users to update to fix a security hole that wasn't even being exploited. This was to protect user's computers and of course avoid a bad experience using Messenger. However, by doing this they have created more tension between the program and its users on a scale worse than what a virus could do. In my opinion MSN Messenger should still be available to everyone.
Another thing to note is, if you're on Windows XP and using the new MSN Messenger 7.0.0820 build to avoid the update, you will no longer be able to sign in. According to Messenger MVP Sunshine you will be forced to update:
Even tho it says in the system requirements of 7.0.0820 that you can run it on WinXP you are not supposed to do so. WinXP has gotten into the requirements by mistake, this will be fixed. MSN Messenger 7.0.0820 will only run on OS'es pre-Windows XP..all on WinXP and Vista will have to upgrade to Windows Live Messenger.
Basically if you're using Windows XP, MSN Messenger is a thing of the past. Say hello to Windows Live Messenger or find an alterative client. If you have an issue report it to the offical Windows Live Messenger newsgroups.
MessengerSays: Upgrading to Messenger 8.1 MessengerSays: We hear you! MessengerSays: Securing MessengerSince the release there have been numerous requests by XP users who still want to keep MSN Messenger. Some people are very reluctant to use Windows Live Messenger for a variety if reasons. So what can you do to keep using MSN Messenger? Well there is a choice ...
First of all you could trick the Messenger protocol into keep using MSN Messenger, although there are no know tools for this yet you will probably see one crop up soon. The most common fixes are either changing the Messenger build number using resource hacker or selecting the compatibly mode when running the program (see screenshot).
Messenger MVP Sunshine had this to say on the issue:
If you are on WinXP and you don't like Windows Live Messenger you can also get the renewed MSN Messenger 7 version:
MSN Messenger 7.0.0820 for Windows 98, Windows 2000, Windows Millenium and Windows XP
The workaround posted here will probably stop working soon too, eventually you will not be able to sign in with 7.5 anymore (as long as you are using it you are also putting your comp at risk)! Users on Windows 98, Windows 2000, Windows Millenium will be forced to upgrade to 7.0.0820.
Detailed info: Microsoft Security Bulletin MS07-054, Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)
Users should be promoted of the security update, but forcing users to switch to what seems like a new program is suicide for Messenger. I think things like this is what is putting MSN/ Windows Live Messenger firmly in the past, the market of instant messaging has changed since the glory days of just chatting to friends.
Download MSN Messenger 7.0.0820on Tue 11 Sep 2007 (16:44 GMT) (8980 views)
This still leaves other Windows users at risk, but this is just a temporary solution to the problem (I would hardly call this a huge security flaw anyway, it is hard to get any virus of this nature spreading). If anything I am more concerned about MSN Messenger users not wanting to use Windows Live Messenger as to some they are two different programs and a minority will want to keep using MSN Messenger.
If your wondering why this only applies to Windows XP users, it simply comes down to users of Windows 2000 and below are not compatible with newer versions of Messenger. I think we can expect some form of update for MSN Messenger 7.0 in the near furture.
on Thu 31 Aug 2007 (14:33 GMT) (30484 views)
The problem is caused by a 'buffer overflow' and to be honest it is nothing to worry about if you know the people who you are accepting webcam invitations from. The problem with this situation is a fix is already present for Windows Live Messenger, but MSN Messenger is still open to the security flaw.
So what does this mean for MSN Messenger? Well MSN Messenger is still a popular program, Microsoft still support it and you have to remember Windows Live Messenger is just an updated and re-branded MSN Mesenger. Forcing users to update to Windows Live Messenger would not be a wise move.
Zdnet managed to get a quote from a Microsoft spokesperson on the issue:
Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
This still shows Microsoft are still keen on MSN Messenger users and will support critical updates for the program. I expect a new build for MSN Messenger will be available within the near future.
Messenger Stuff
