A new flaw in Microsoft's MSN Messenger software could reveal
users' names and email addresses as well as people on their "buddy
list".
The flaw allows a Javascript program placed on a Web page visited
by MSN Messenger users to capture a user's display name for the
chat program, as well as the names of all their contacts. This
could allow people's real names to be harvested by malicious Web
sites, he said. If no display name is set in the program, the
Javascript will obtain the user's e-mail address instead.
The flaw exploits a feature in MSN Instant Messenger, which
notifies users when they have received new e-mail in their Hotmail
accounts.
Though Microsoft is treating the flaw as low risk, it will release
a new version of its Messenger products early next week, a
spokeswoman said. Users will be notified that a new version is
available and will be prompted to download it.
In the meantime, Microsoft is advising concerned users to go to the
MSN Messenger support Web site (
messenger.msn.com/support/status.asp
) for information about the issue and steps they can take to
protect themselves.