Microsoft mandates Messenger upgrade for security flaws
Users of Microsoft's Windows Live Messenger instant messaging software soon will be required to upgrade to the latest version to close vulnerabilities that could enable an attacker to execute remote code.Last Tuesday, Microsoft pushed out the newest version, Windows Live Messenger 14.0.8089. The upgrade addressed vulnerabilities in Microsoft's Active Template Library (ATL), used in the development of the IM program, the company said in a blog post last Thursday.
Microsoft is not aware of any attacks currently targeting the ATL vulnerability in Live Messenger, a Microsoft spokesperson told SCMagazineUS.com on Tuesday.
Beginning in the middle of this month, users of Messenger versions 8.1, 8.5 and 14.0 must upgrade, with a deadline of the end of October. Users will be prompted to install the new version when they sign into one of the vulnerable versions of Live Messenger, Microsoft said. If users do not upgrade, they may not be able to connect to the IM service.
"It will take several weeks for the upgrade process to be completed, as the upgrade will be rolled out to customers over the course of several weeks," Microsoft said.
Users of Live Messenger version 14.0 will not see any visible changes with the upgrade. But for users of Windows Live Messenger versions 8.1 or 8.5, the update also includes additional non-security features, Microsoft said.
The vulnerabilities in ATL affect not only Live Messenger but numerous programs developed with ATL. In late July, Microsoft issued two out-of-band security patches to address the ATL bugs in Visual Studio and Internet Explorer. In addition, Microsoft fixed five additional vulnerabilities in the ATL during its scheduled Patch Tuesday on Aug. 11.
