Tuesday, February 15, 2005

Kudos to Microsoft

According to this TechWeb story, Microsoft is denying access to MSN Messenger clients older than version 6.2.0205. This is a response to Core Security's advisory, which Microsoft followed with MS05-009. A malformed buddy image could exploit a vulnerable user's instant messaging (IM) client. Microsoft even posted a dedicated page explaining the problem to IM users.

This is the first time I recall a vendor (at least Microsoft) denying access to a service because a user is running vulnerable software. This would be like refusing to let a person browse the Web because their version of Internet Explorer is too old, or refusing to let them check mail because Outlook is out-of-date. This is a form of "network addmission control" (Cisco-speak) or "network access protection" (Microsoft-speak) taken to a whole new level. I hope to see more of this in the future. Of course, I would prefer all of this to be transparent to users who don't care. I would much rather have everyday email- and Web-checking users running centrally managed thin clients.

Update: According to this Microsoft Security Response Center Blog entry, "all 150 million MSN Messenger users worldwide are now updated and no longer subject to exploitation from this vulnerability. It was a big decision to make the upgrade mandatory in such a short period of time, but we collectively decided that the small inconvenience of having customers upgrade was the right thing to do to help protect them."


Susan Bradley said...

It's 05-009 not -006

Richard Bejtlich said...

Thanks Susan -- it's fixed.

Anonymous said...
This comment has been removed by a blog administrator.