By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
In a critical security bulletin Microsoft said the Chat and Instant Messenger programs have a flaw that would enable a hacker to break into computers.
By exploiting a programming flaw known as an unchecked buffer Microsoft said the attacker would be able to overwhelm a computer by sending it more information than the program can handle. Once overwhelmed, the machine would be vulnerable to just about any code or instructions sent to it by an attacker.
Christopher Budd, security program manager at Microsoft's Security Response Center, said the potential vulnerability has been found in MSN Chat control (an ActiveX control), MSN Messenger 4.5 and 4.6 (which include MSN Chat Control) and Microsoft Exchange Instant Messenger 4.5 and 4.6 (which also includes the Chat Control).
Users of Chat and Instant Messenger are prompted to download the latest update when they log into the service. But, some users on corporate networks may find it difficult to install the fixed version of these programs, unless they have administrator privileges on their machine. Microsoft has also made available a patch for users that disables the Chat feature.
The problem was first reported to Microsoft in late March. It can be exploited through e-mail, a malicious Web site or through any other method where Microsoft's Internet Explorer browser is used to display HTML that an attacker supplies, including software that uses an ActiveX module.
All users of Internet Explorer are potentially affected, according to the company, and should install the updates.
Microsoft said the latest Windows operating system, Windows XP, includes a Windows Messenger program that is not affected by this vulnerability. Windows XP users would be vulnerable only if they installed the MSN Chat control from MSN sites on their own.
Eric Hemmendinger, an analyst at Aberdeen Group, said businesses should be interested in such security announcements even if they are not officially deploying these applications for their workers.
"Even if the business is not using it, but people inside the business are, then they are vulnerable and the business is," Hemmendinger said.
IT officials need to check the company's machines and be sure that any needed fixes are applied, he said.
Charles Kolodgy, an analyst at IDC, said that businesses can protect themselves by blocking the acceptance of HTML e-mail and setting up their networks to prevent workers from downloading unauthorised applications, including chat and instant messaging programs.