Microsoft Corp. on Friday lashed out at two security research firms for publishing proof-of-concept exploit code for MSN Messenger hours after Microsoft released security patches for the product.
In one instance, the software giant said malicious hackers have modified the proof-of-concept code into an exploit that puts millions of users at risk of code execution attacks that require no user interaction.
Moving swiftly to blunt an attack, Microsoft has decided to push out patched versions of MSN Messenger as a mandatory update. As of Thursday evening, users of the popular instant messaging client must update to MSN Messenger version 6.2.0205 or the MSN Messenger 7.0 beta before they are allowed to log on.
“When the vulnerability was announced this week we initially introduced an optional upgrade and had plans to make the upgrade mandatory,” a Microsoft spokesperson said. “But when we learned that detailed exploit code had been published on the Internet we felt the need to take decisive action.”
According to the exploit code seen by eWEEK.com, an attacker need only load a malicious PNG (Portable Network Graphics) file as a buddy icon to launch an attack against every MSN Messenger user on a buddy list.
Core Security Technologies, the research company that found and reported the flaw, confirmed that the published exploit code could be used to launch blind attacks.
“The target doesnt even have to communicate with the attacker. Once the attacker has the targets MSN Messenger contact on his contact list, he can launch an attack without the target even knowing,” said Max Caceres, director of product management at Core Security.
Even worse, Caceres told eWEEK.com that the attacker could take control of the infected machine and change the targets display to replicate the attack against everyone on that buddy list.
“This could lead to a massive, widespread attack unless all MSN Messenger users apply the upgrades,” he said.
Microsoft late Thursday released a security advisory to warn customers of the risk. The company also provided step-by-step instructions in a separate notice for both consumer and enterprise MSN Messenger users.
Microsoft pinned the blame for the exploit code squarely on the shoulders of Core Security, alleging that the public exploit is based on proof-of-concept code released by the Mass.-based information security firm.
[Core Security] published proof-of-concept code on the Internet the same day Microsoft issued Security Bulletin MS05-009 to resolve the issue. Since then, a separate individual has modified the posted code into exploit code,” Microsoft said in a strongly worded statement.
“[T]he publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk.”
Caceres dismissed the Microsoft accusation and pointed out that engineers at Core Security worked closely with Microsoft since reporting the vulnerability in August 2003.
“We worked with Microsoft for six months to develop this patch. We waited until they released the fix before we published our advisory,” Caceres said, arguing that it is common procedure to provide proof-of-concept code to let businesses determine whether their systems are secure.
Core Securitys alert contained a ZIP-compressed image of a malformed PNG file that was intended to allow MSN Messenger users to check to see if they were vulnerable.
“Were in the business of getting people to understand how secure their systems are and to help them test to see if they are vulnerable. Our proof-of-concept is used for those tests. It is not to be used by an attacker to arbitrarily control a target,” Caceres said.
But Microsoft isnt buying that explanation. “A common practice among responsible researchers is to wait a reasonable period of time before publishing such code … Microsoft is disappointed computer users were not given a reasonable opportunity to safeguard their computing environments.”
As part of the new plan to make the upgrade mandatory, all MSN Messenger users who attempt to log into the system with a vulnerable version of the client will be told they need to upgrade in the coming days or they will no longer be able to use the service with that vulnerable client.
MSN Messenger users running vulnerable clients will receive “toast” warnings about the vulnerability and directed to a download page. They will not be able to log into the Messenger service until they accept that upgrade. MSN also plans to communicate with users via security update via links on MSN properties and Web sites.
How to Protect Against an Exploit:
- MSN Messenger users should make sure their Windows and MSN Messenger software is current with the latest security updates released on Feb. 8. The latest versions of MSN Messenger can be downloaded here. Alternatively, users can install an evaluation copy (beta release) of the new MSN Messenger 7.0, which is not targeted by the exploit code.
- Enterprise businesses should consider removing and blocking MSN Messenger from their environments. If this is not feasible, they should make sure every installed version of Windows and MSN Messenger is current with the latest security updates.
- MSN Messenger is not intended for corporate environments and Microsoft recommends uninstalling the client from a business network. Corporate clients should switch to Windows Messenger, which is included with Windows.
- Corporate users should also consider blocking access to MSN Messenger. This can be done by blocking outbound access to TCP port 1863 and blocking HTTP access to messenger.hotmail.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.