Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors
/

MSN Messenger flaw can disclose user data

Application service providers were supposed to be the next big thing, but the market got off to a rocky start and many vendors went bust. Now a new generation of ASPs, joined by traditional software vendors like Microsoft and Oracle, is promising to deliver on the 'software as a service' concept

Related linksToday's breaking news
Send to a friendFeedback

By Sam Costello
IDG News Service, 02/08/02

Microsoft confirmed Friday that its instant messaging programs MSN Messenger and the Windows Messenger included with the company's Windows XP operating system can allow users' names and e-mail addresses, as well as those of all their chat buddies, to be viewed. The issue was first mentioned in an alert posted to the Bugtraq security e-mail list on Feb. 2.

The flaw, which was discovered by Richard Anthony Burton, allows a Javascript placed on a Web page visited by MSN Messenger users to obtain a user's display name for the chat program, as well as the names of all their contacts in the program, he wrote. This could allow many people's real names to be harvested by malicious Web sites, he said. If no display name is set in the program, the Javascript will obtain the user's e-mail address instead, according to Burton.

Some Web sites owned by Microsoft are able to access the e-mail addresses of users and all their contacts, Burton wrote. The technique used by these sites to monitor user visits could also be used by other Web sites, if users downloaded software that changed their computer settings slightly to allow the monitoring, he wrote. Such a change might be made without warning the user, he added.

In Burton's test, the bug affects MSN Messenger 4.60073 on Windows 2000 using Internet Explorer 6 and the same versions of Windows Messenger and Internet Explorer on Windows XP.

The flaw, which a Microsoft spokeswoman acknowledged Friday to be true, exists as part of a feature designed to allow Messenger users to be notified when they've received new e-mail in their Hotmail accounts, and to see if the person who has sent an e-mail to those accounts is online with Messenger.

Though Microsoft is treating the flaw as low risk, it will release a new version of the Messenger products that addresses the issue early next week, the spokeswoman said. Users will be notified that a new version is available and will be prompted to download it, the spokeswoman added.

In the meantime, concerned users can go to the MSN Messenger support Web site for information about the issue and steps they can take to protect themselves, the spokeswoman said.

The IDG News Service is a Network World affiliate.

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.