[ISN] Security concerns put MSN Messenger beta on hold

From: InfoSec News (isn@private)
Date: Sat Oct 09 2004 - 02:02:58 PDT


http://www.computerworld.com/securitytopics/security/story/0,10801,96475,00.html

By Joris Evers
OCTOBER 07, 2004
IDG NEWS SERVICE

Microsoft Corp. has suspended the beta testing of the next version of
its MSN Messenger client because of a potential security problem, a
company spokeswoman said yesterday.

Testers discovered a potential security issue in the early version of
MSN Messenger 7 shortly after Microsoft made the instant messaging
client available to a select group of testers over the weekend,
according to postings on MSN Messenger enthusiast Web site Mess.be.

The problem lies in a new MSN Messenger feature dubbed "winks" that
allows users to send each other sound animations. The feature can be
abused to overwhelm a user's system, according to Mess.be.

The company has decided to put the test on hold and pull the software
while it looks into the issue. It will make available a new version of
the client, one without the winks feature, probably some time next
week, the spokeswoman said.

The test version of MSN Messenger 7 was designed to only allow
approved animations to be sent. However, Microsoft is investigating
the possibility that the feature may be exploited to send "rogue winks
that could cause security issues," the spokeswoman said. Although
winks will no longer be in this test version of MSN Messenger,
Microsoft still plans to include the feature in the final version of
the product, she said.

It is unclear how many people downloaded the potentially vulnerable
version of MSN Messenger. The software had not officially been
released to testers and only a small group of people was given access
to the download, according to Microsoft. However, the potentially
vulnerable instant messaging client has popped up elsewhere on the
Web.

Microsoft announced the limited beta of MSN Messenger 7 last week. The
test is a significant step in the release process for MSN Messenger,
which has 135 million active users per month. Microsoft hopes to
release a final version of the software in the first quarter of 2005,
after a public beta test scheduled for later this year.

While Microsoft's MSN group has pulled one trial version of its
products, another is back. The company on Monday quietly launched a
second "technology preview" of its upcoming Internet search engine,
MSN Search. The first preview went online in early July with an index
of 1 billion Web pages and was taken offline in August. The second
preview is similar, but Microsoft has now indexed 5 billion Web pages,
the spokeswoman said.

In addition to the larger index, MSN Search has been improved to
provide more relevant search results, the spokeswoman said. The
service also offers results from more Internet domains, as well as
spelling correction and cached pages, she said. The launch of the
final version of the MSN Search product, Microsoft's answer to Google
Inc.'s search success, is expected later this year or early next year.  
The MSN Search preview page is available at
http://techpreview.search.msn.com/.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Sat Oct 09 2004 - 04:20:22 PDT