Tuesday, February 15, 2005

Kudos to Microsoft

According to this TechWeb story, Microsoft is denying access to MSN Messenger clients older than version 6.2.0205. This is a response to Core Security's advisory, which Microsoft followed with MS05-009. A malformed buddy image could exploit a vulnerable user's instant messaging (IM) client. Microsoft even posted a dedicated page explaining the problem to IM users.

This is the first time I recall a vendor (at least Microsoft) denying access to a service because a user is running vulnerable software. This would be like refusing to let a person browse the Web because their version of Internet Explorer is too old, or refusing to let them check mail because Outlook is out-of-date. This is a form of "network addmission control" (Cisco-speak) or "network access protection" (Microsoft-speak) taken to a whole new level. I hope to see more of this in the future. Of course, I would prefer all of this to be transparent to users who don't care. I would much rather have everyday email- and Web-checking users running centrally managed thin clients.

Update: According to this Microsoft Security Response Center Blog entry, "all 150 million MSN Messenger users worldwide are now updated and no longer subject to exploitation from this vulnerability. It was a big decision to make the upgrade mandatory in such a short period of time, but we collectively decided that the small inconvenience of having customers upgrade was the right thing to do to help protect them."

3 comments:

Susan Bradley said...

It's 05-009 not -006

Richard Bejtlich said...

Thanks Susan -- it's fixed.

Anonymous said...
This comment has been removed by a blog administrator.