Investor service ponders downgrading CA's credit rating

Microsoft confirmed Friday that its instant messaging programs MSN Messenger and the Windows Messenger included with the company's Windows XP operating system can allow users' names and e-mail addresses, as well as those of all their chat buddies, to be viewed. The issue was first mentioned in an alert posted to the Bugtraq security e-mail list on February 2.

The flaw, which was discovered by Richard Anthony Burton, allows a Javascript placed on a Web page visited by MSN Messenger users to obtain a user's display name for the chat program, as well as the names of all their contacts in the program, he wrote. This could allow many people's real names to be harvested by malicious Web sites, he said. If no display name is set in the program, the Javascript will obtain the user's e-mail address instead, according to Burton.

Some Web sites owned by Microsoft are able to access the e-mail addresses of users and all their contacts, Burton wrote. The technique used by these sites to monitor user visits could also be used by other Web sites, if users downloaded software that changed their computer settings slightly to allow the monitoring, he wrote. Such a change might be made without warning the user, he added.

In Burton's test, the bug affects MSN Messenger 4.60073 on Windows 2000 using Internet Explorer 6 and the same versions of Windows Messenger and Internet Explorer on Windows XP.

The flaw, which a Microsoft spokeswoman acknowledged Friday to be true, exists as part of a feature designed to allow Messenger users to be notified when they've received new e-mail in their Hotmail accounts, and to see if the person who has sent an e-mail to those accounts is online with Messenger.

Though Microsoft is treating the flaw as low risk, it will release a new version of the Messenger products that addresses the issue early next week, the spokeswoman said. Users will be notified that a new version is available and will be prompted to download it, the spokeswoman added.

In the meantime, concerned users can go to the MSN Messenger support Web site for information about the issue and steps they can take to protect themselves, the spokeswoman said.

That page is located at http://messenger.msn.com/support/status.asp.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?