Tag - Security
Windows Live Messenger users have been receiving an email over the past week giving them hints and tips how to increase their privacy and protect themselves from dangerous programs online.
The email mainly focused on making sure only your contacts can see your current status, protecting you from inaccurate block checkers and stopping 3rd party services knowing your IM habits. The message also promoted using a free trail of Windows Live OneCare and gave a small link on pishing websites. This is just a small part of Microsoft's new wave of protecting its users against viruses and ensuring their personal data is kept safe.
I know, news is rather slow.
>> View the email sent to Windows Live users
The email mainly focused on making sure only your contacts can see your current status, protecting you from inaccurate block checkers and stopping 3rd party services knowing your IM habits. The message also promoted using a free trail of Windows Live OneCare and gave a small link on pishing websites. This is just a small part of Microsoft's new wave of protecting its users against viruses and ensuring their personal data is kept safe.
I know, news is rather slow.
>> View the email sent to Windows Live users
I already briefly mentioned you can resource hack into MSN Messenger and trick the Messenger servers you are using an newer, secure version. Ahmad, creator of A-Patch created this tutorial on how to do so.
You're done, run Messenger.
Use this at your own risk. This should also work on 7.5 builds. I hope to create a small patch soon which will do all this at a click of a button. This is a good method that will allow you to use your favourite Messenger client again.
- Exit Messenger and open up msnmsgr.exe using Resource Hacker.
- Expand the 'Version Info' folder.
- Expand the '1' folder.
- Click on the green icon numbered '1033' (number might be different if using a different language, that's fine)
- Now on the right side of the window change:
VALUE 'FileVersion', '7.0.0816' to
VALUE 'FileVersion', '7.0.0820' and change:
VALUE 'ProductVersion', '7.0.0816' to
VALUE 'ProductVersion', '7.0.0820' - Click the Compile Script button at the top.
- Click File > Save.
You're done, run Messenger.
Use this at your own risk. This should also work on 7.5 builds. I hope to create a small patch soon which will do all this at a click of a button. This is a good method that will allow you to use your favourite Messenger client again.
Good news for Windows XP users still wanting to use MSN Messenger. The new 7.0.0820 build released a couple of weeks ago now allows XP users to sign into it, without any hassle. Anand from the MessengerSays blog has this to say:
This is great news and it shows that the Messenger team are listening to its users.
>> Source: MessengerSays blog
We've seen feedback from several people that they would like to stay on a version of MSN Messenger. Given that many of us currently on the Windows Live Messenger team also worked on MSN Messenger for years, we can appreciate the sentiment. Based on this, we have a new option we hope you'll like.
For those of you on XP who are passionate about staying on MSN Messenger, we've now released the new, more secure build of MSN Messenger 7.0 build 0820 for Windows XP, and we recommend you install and use this build (rather than running MSN Messenger 7.5 on XP in Windows 2000 compatibility mode as we realize some of you are doing). If you currently have MSN Messenger 7.5 installed, we recommend you uninstall it via Add/Remove Program
For those of you on XP who are passionate about staying on MSN Messenger, we've now released the new, more secure build of MSN Messenger 7.0 build 0820 for Windows XP, and we recommend you install and use this build (rather than running MSN Messenger 7.5 on XP in Windows 2000 compatibility mode as we realize some of you are doing). If you currently have MSN Messenger 7.5 installed, we recommend you uninstall it via Add/Remove Program
This is great news and it shows that the Messenger team are listening to its users.
>> Source: MessengerSays blog
Again a 'highly critical' security flaw has appeared, this time in Windows Live Messenger specific to the sharing folders feature. Similar to the webcam flaw, the problem is caused by a 'buffer overflow' however, this time the exploit only effects Windows Live Messenger users and won't spark as much criticism if a forced update was to be in implemented.
Again this is only a risk if you accept sharing folders with people you do not trust and there is no known virus spreading:
Nevertheless Microsoft are tough on security flaws, let's just hope there are no stupid decisions this time around.
>> Source: mess.be
Again this is only a risk if you accept sharing folders with people you do not trust and there is no known virus spreading:
The attacker can 'Create a sharing folder' for its victim and then put the malformed file into the physical location of that folder on his hard drive (My Computer > My Sharing Folders > victim@hotmail.com). Note that if the attacker would drag & drop the file directly into the Messenger window, his own client would crash. Considering that the victim has accepted the sharing folder, the attacker can simply click the sharing icon to crash Windows Live Messenger, or even Windows XP entirely when the process isn't terminated in time. The victim then needs to delete the sharing folder entirely to cease the exploitation.
The vulnerability was discovered on the 20th of August 2007 and reported to Microsoft on the 23rd. The company responded one day later that it will address the issue in 'the next service pack'. Although there have been no reports yet of actual exploitation via this method, you should note that in order to protect yourself you should avoid sharing folders with contacts you don't trust.
The vulnerability was discovered on the 20th of August 2007 and reported to Microsoft on the 23rd. The company responded one day later that it will address the issue in 'the next service pack'. Although there have been no reports yet of actual exploitation via this method, you should note that in order to protect yourself you should avoid sharing folders with contacts you don't trust.
Nevertheless Microsoft are tough on security flaws, let's just hope there are no stupid decisions this time around.
>> Source: mess.be
Microsoft have began 'phase 2' of updating Windows users to the fixed builds of MSN/ Windows Live Messenger. Now users using Windows 95 to Windows 2000 will have to update to MSN Messenger 7.0.0820:
What I find interesting is that Microsoft are still forcing the update despite the high amount of criticising comments left on the MessengerSays blog.
In the second phase, we are turning on the Mandatory Security Upgrades for Windows 2000, Windows 98, Windows 98 SE, and Windows ME. As noted in the security bulletin, we have built a new version of MSN Messenger 7.0, build number 7.0.0820, that will run on Windows 2000. This version of MSN Messenger has also been tested for Windows 98, Windows 98 SE, and Windows ME. Users should expect these upgrades to start soon.
To recap, the set of Messenger clients that do not have the webcam security vulnerability are:
To recap, the set of Messenger clients that do not have the webcam security vulnerability are:
- Windows Live Messenger 8.1 (for XP and Vista)
- MSN Messenger 7.0.0820 (for Windows 2000 and Windows 98, SE, ME)
- Windows Messenger – all versions (XP only)
- MSN Messenger 5.0 for Windows 95.
- Microsoft Messenger for Macintosh (all versions)
What I find interesting is that Microsoft are still forcing the update despite the high amount of criticising comments left on the MessengerSays blog.
I've been receiving a lot of emails the past couple of days and reading many comments on various Messenger blogs and forums about Windows XP users being forced to upgrade from MSN Messenger to Windows Live Messenger. To sum up there are many users who find the program new and exciting, and of course those who find the update restrictive and incompatible with their system.
Windows Live Messenger is seen as a resource hogging, new designed, new branded MSN Messenger and people don't seem to like it. Many people stick with MSN Messenger for a variety of reasons as Windows Live Messenger may have compatibly issues or people simply don't like change.
MessengerSays, the official development blog of Windows Live Messenger has posted about the forced update three times now. They are addressing problems and listening to feedback. Nevertheless, there seems no sign that the team will reverse their decision.
The ionic thing about this was Microsoft forced users to update to fix a security hole that wasn't even being exploited. This was to protect user's computers and of course avoid a bad experience using Messenger. However, by doing this they have created more tension between the program and its users on a scale worse than what a virus could do. In my opinion MSN Messenger should still be available to everyone.
Another thing to note is, if you're on Windows XP and using the new MSN Messenger 7.0.0820 build to avoid the update, you will no longer be able to sign in. According to Messenger MVP Sunshine you will be forced to update:
Basically if you're using Windows XP, MSN Messenger is a thing of the past. Say hello to Windows Live Messenger or find an alterative client. If you have an issue report it to the offical Windows Live Messenger newsgroups.
>> MessengerSays: Upgrading to Messenger 8.1
>> MessengerSays: We hear you!
>> MessengerSays: Securing Messenger
Windows Live Messenger is seen as a resource hogging, new designed, new branded MSN Messenger and people don't seem to like it. Many people stick with MSN Messenger for a variety of reasons as Windows Live Messenger may have compatibly issues or people simply don't like change.
MessengerSays, the official development blog of Windows Live Messenger has posted about the forced update three times now. They are addressing problems and listening to feedback. Nevertheless, there seems no sign that the team will reverse their decision.
The ionic thing about this was Microsoft forced users to update to fix a security hole that wasn't even being exploited. This was to protect user's computers and of course avoid a bad experience using Messenger. However, by doing this they have created more tension between the program and its users on a scale worse than what a virus could do. In my opinion MSN Messenger should still be available to everyone.
Another thing to note is, if you're on Windows XP and using the new MSN Messenger 7.0.0820 build to avoid the update, you will no longer be able to sign in. According to Messenger MVP Sunshine you will be forced to update:
Even tho it says in the system requirements of 7.0.0820 that you can run it on WinXP you are not supposed to do so. WinXP has gotten into the requirements by mistake, this will be fixed. MSN Messenger 7.0.0820 will only run on OS'es pre-Windows XP..all on WinXP and Vista will have to upgrade to Windows Live Messenger.
Basically if you're using Windows XP, MSN Messenger is a thing of the past. Say hello to Windows Live Messenger or find an alterative client. If you have an issue report it to the offical Windows Live Messenger newsgroups.
>> MessengerSays: Upgrading to Messenger 8.1
>> MessengerSays: We hear you!
>> MessengerSays: Securing Messenger
As I predicted a couple of days ago a new build has been released for MSN Messenger 7.0, fixing a known webcam exploit. The update has come in to protect Windows users using Windows 2000 or below. XP users will be forced to upgrade to Windows Live Messenger 8.1 or higher.
Since the release there have been numerous requests by XP users who still want to keep MSN Messenger. Some people are very reluctant to use Windows Live Messenger for a variety if reasons. So what can you do to keep using MSN Messenger? Well there is a choice ...
First of all you could trick the Messenger protocol into keep using MSN Messenger, although there are no know tools for this yet you will probably see one crop up soon. The most common fixes are either changing the Messenger build number using resource hacker or selecting the compatibly mode when running the program (see screenshot).
Messenger MVP Sunshine had this to say on the issue:
Users should be promoted of the security update, but forcing users to switch to what seems like a new program is suicide for Messenger. I think things like this is what is putting MSN/ Windows Live Messenger firmly in the past, the market of instant messaging has changed since the glory days of just chatting to friends.
>> Download MSN Messenger 7.0.0820
Since the release there have been numerous requests by XP users who still want to keep MSN Messenger. Some people are very reluctant to use Windows Live Messenger for a variety if reasons. So what can you do to keep using MSN Messenger? Well there is a choice ...
First of all you could trick the Messenger protocol into keep using MSN Messenger, although there are no know tools for this yet you will probably see one crop up soon. The most common fixes are either changing the Messenger build number using resource hacker or selecting the compatibly mode when running the program (see screenshot).
Messenger MVP Sunshine had this to say on the issue:
If you are on WinXP and you don't like Windows Live Messenger you can also get the renewed MSN Messenger 7 version:
MSN Messenger 7.0.0820 for Windows 98, Windows 2000, Windows Millenium and Windows XP
The workaround posted here will probably stop working soon too, eventually you will not be able to sign in with 7.5 anymore (as long as you are using it you are also putting your comp at risk)! Users on Windows 98, Windows 2000, Windows Millenium will be forced to upgrade to 7.0.0820.
Detailed info: Microsoft Security Bulletin MS07-054, Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)
MSN Messenger 7.0.0820 for Windows 98, Windows 2000, Windows Millenium and Windows XP
The workaround posted here will probably stop working soon too, eventually you will not be able to sign in with 7.5 anymore (as long as you are using it you are also putting your comp at risk)! Users on Windows 98, Windows 2000, Windows Millenium will be forced to upgrade to 7.0.0820.
Detailed info: Microsoft Security Bulletin MS07-054, Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)
Users should be promoted of the security update, but forcing users to switch to what seems like a new program is suicide for Messenger. I think things like this is what is putting MSN/ Windows Live Messenger firmly in the past, the market of instant messaging has changed since the glory days of just chatting to friends.
>> Download MSN Messenger 7.0.0820
XP users forced to use Windows Live Messenger to prevent webcam exploit
on Tue 11 Sep 2007 (16:44 GMT)
on Tue 11 Sep 2007 (16:44 GMT)
In an update to the Messenger webcam security flaw, Microsoft have, on 'Patch Tuesday' implemented a security method to protect users from the exploit. Any Windows XP user using a Messenger client of version 8.0 or below will now be forced to update to Windows Live Messenger 8.1.
This still leaves other Windows users at risk, but this is just a temporary solution to the problem (I would hardly call this a huge security flaw anyway, it is hard to get any virus of this nature spreading). If anything I am more concerned about MSN Messenger users not wanting to use Windows Live Messenger as to some they are two different programs and a minority will want to keep using MSN Messenger.
If your wondering why this only applies to Windows XP users, it simply comes down to users of Windows 2000 and below are not compatible with newer versions of Messenger. I think we can expect some form of update for MSN Messenger 7.0 in the near furture.
This still leaves other Windows users at risk, but this is just a temporary solution to the problem (I would hardly call this a huge security flaw anyway, it is hard to get any virus of this nature spreading). If anything I am more concerned about MSN Messenger users not wanting to use Windows Live Messenger as to some they are two different programs and a minority will want to keep using MSN Messenger.
If your wondering why this only applies to Windows XP users, it simply comes down to users of Windows 2000 and below are not compatible with newer versions of Messenger. I think we can expect some form of update for MSN Messenger 7.0 in the near furture.
Yahoo! Messenger may of had another recent security scare relating to vulnerabilities in its webcam system last week, but things were soon patched up and users were protected. Now it seems MSN Messenger and Windows Live Messenger 8.0 also have a similar problem.
The problem is caused by a 'buffer overflow' and to be honest it is nothing to worry about if you know the people who you are accepting webcam invitations from. The problem with this situation is a fix is already present for Windows Live Messenger, but MSN Messenger is still open to the security flaw.
So what does this mean for MSN Messenger? Well MSN Messenger is still a popular program, Microsoft still support it and you have to remember Windows Live Messenger is just an updated and re-branded MSN Mesenger. Forcing users to update to Windows Live Messenger would not be a wise move.
Zdnet managed to get a quote from a Microsoft spokesperson on the issue:
This still shows Microsoft are still keen on MSN Messenger users and will support critical updates for the program. I expect a new build for MSN Messenger will be available within the near future.
The problem is caused by a 'buffer overflow' and to be honest it is nothing to worry about if you know the people who you are accepting webcam invitations from. The problem with this situation is a fix is already present for Windows Live Messenger, but MSN Messenger is still open to the security flaw.
So what does this mean for MSN Messenger? Well MSN Messenger is still a popular program, Microsoft still support it and you have to remember Windows Live Messenger is just an updated and re-branded MSN Mesenger. Forcing users to update to Windows Live Messenger would not be a wise move.
Zdnet managed to get a quote from a Microsoft spokesperson on the issue:
Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
This still shows Microsoft are still keen on MSN Messenger users and will support critical updates for the program. I expect a new build for MSN Messenger will be available within the near future.
Last Saturday I posted about a Yahoo! Messenger vulnerability which targeted webcam users. Yahoo! have now released a security update fixing the exploit. Users are recommended to upgrade to the new 8.1.0.416 build.
>> Source: Yahoo! Messenger blog
Even if you installed Yahoo! Messenger as recently as August 20th, 2007 you may not have the very latest version.
You can check to see if you have the latest version by clicking the 'Help' menu option at the top right of your Yahoo! Messenger window, and then clicking 'About Yahoo! Messenger' or 'Check for Updates'.
If your Yahoo! Messenger version number is 8.1.0.416 (or higher) then you have the latest and do not need to take any immediate action. If you are running anything lower than 8.1.0.416 then please upgrade to the latest version.
You can check to see if you have the latest version by clicking the 'Help' menu option at the top right of your Yahoo! Messenger window, and then clicking 'About Yahoo! Messenger' or 'Check for Updates'.
If your Yahoo! Messenger version number is 8.1.0.416 (or higher) then you have the latest and do not need to take any immediate action. If you are running anything lower than 8.1.0.416 then please upgrade to the latest version.
>> Source: Yahoo! Messenger blog
After the disaster of blocking .info domains a couple of weeks ago and the attention it got, Microsoft have released a statement justifying their reasons behind the controversial security method:
Personally, despite the reasons behind the block still not valid in my opinion, the sloppiness of the feature has been changed so not every message with '.info' within it is blocked. Now '.info' is only blocked in things that Messenger recognises as URLs and turns into clickable, blue links. The user will also be notified that their message never went through, but they will not receive an explanation why.
Any virus creator can just encode the URL or use services such as TinyURL to work around this. The people losing out are me and you, who need to send non-dangerous messages to our friends and work colleagues every day.
I still believe things should be blocked on a case by case basis (if not blocked at all). The feature is still poorly implemented, but after the attention of the past week hopefully something will be done soon.
For me it wasn't that much of an annoyance, I've been receiving a swarm on hits since all this was revealed, maybe I should stop complaining?
>> Source: mess.be
In order to prevent the spread of a malicious advertising effort that included Windows Live Messenger accounts as targets, Microsoft took steps to block instant messages that include the words '.info' and a few additional key words to protect our customers. The targeted accounts were sent either info or another URL, which led to a website asking them to provide their Windows Live user id and password. If the customer provided that information, the user's complete contact list also received a message with the domain site link. This was not a Microsoft sponsored effort, and in order to prevent the spread of it through our service, instant messages that include the words '.info' and a few additional key words have been blocked. This action may block some safe, reputable sites and we apologize for any inconvenience this may cause our customers, however, given the circumstances this action was necessary. In an effort to remedy this moving forward, Microsoft continues to investigate other ways to protect our consumers from this threat.
Microsoft recommends that Windows Live Messenger users do not provide their account information to third-party sites. To learn more about how to recognize a social engineering threat, more information is available at http://www.microsoft.com/athome/security/email/socialengineering.mspx. In addition, Microsoft continues to encourage people to follow the 'Protect Your Computer' guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at www.microsoft.com/protect.
Microsoft recommends that Windows Live Messenger users do not provide their account information to third-party sites. To learn more about how to recognize a social engineering threat, more information is available at http://www.microsoft.com/athome/security/email/socialengineering.mspx. In addition, Microsoft continues to encourage people to follow the 'Protect Your Computer' guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at www.microsoft.com/protect.
Personally, despite the reasons behind the block still not valid in my opinion, the sloppiness of the feature has been changed so not every message with '.info' within it is blocked. Now '.info' is only blocked in things that Messenger recognises as URLs and turns into clickable, blue links. The user will also be notified that their message never went through, but they will not receive an explanation why.
Any virus creator can just encode the URL or use services such as TinyURL to work around this. The people losing out are me and you, who need to send non-dangerous messages to our friends and work colleagues every day.
I still believe things should be blocked on a case by case basis (if not blocked at all). The feature is still poorly implemented, but after the attention of the past week hopefully something will be done soon.
For me it wasn't that much of an annoyance, I've been receiving a swarm on hits since all this was revealed, maybe I should stop complaining?
>> Source: mess.be