Modernizing Authentication — What It Takes to Transform Secure Access
Hit hard by a slew of recent virus warnings and other security foul-ups, Microsoft
is taking dramatic steps to ensure that its public instant messaging clients don't become tools in the hands of malicious hackers.Specifically, the Redmond, Wash.-based software giant is requiring that users of its MSN Messenger and Windows Messenger upgrade to the latest versions of the software. Typically, the messenger clients merely display a message reminding users to download the new release, without any sort of additional encouragement or penalty. But in this case, users who fail to upgrade risk being cut off from the company's .NET Messaging service.
MSN Messenger users must upgrade to version 5.0 for Windows, or version 3.5 for Mac. Users of Windows Messenger, the IM client that ships with Windows XP, must ensure they have version 4.7.2000 or higher.
The newest versions of the IM clients feature enhanced security and authentication features, making them less susceptible to attacks by malicious hackers and would-be identity thieves.
"The root cause here is we discovered that there are some security issues and vulnerabilities associated with earlier versions of the Messenger client -- both the Windows Messenger and MSN Messenger," said Microsoft spokesman Sean Sundwall. "To make sure we have the same level of security and the same experience for all customers, we are requiring that all upgrade to the newer set of clients."
Sundwall declined to go into detail about the vulnerabilities, but did say that the security architects between older and newer versions of the IM clients are "completely different."
"Newer clients have a newer one that we feel is much more secure, and will provide a much better experience -- not just for users, but for the entire network," he said."
While its unclear exactly which security features needed revamping, it's known that MSN Messenger 5 included a new version of the .NET Messenger Service protocol, using stronger means for authentication that replace MD5 authentication. Following the changes, the software makes SSL connections to .NET Passport servers.Microsoft has been encouraging users of earlier software to upgrade by sending them e-mails -- and warning them of te impending cut-off should they not comply.
"As part of Microsoft's Trustworthy Computing initiative, Microsoft is updating the .NET Messenger Service and providing you with an important MSN Messenger or Windows Messenger security update," the e-mail said. "If you are not using an updated version, you will be unable to continue using your MSN Messenger or Windows Messenger Service. Thank you for helping Microsoft further its commitment to helping you protect your privacy and security online."
Next month, the company plans to begin warning users of older clients with a message each time they login. Users will be unable to connect to Passport services entirely beginning Oct. 15.
Spokespeople did not indicate whether the upgrade came in response to any specific virus or hacker threat -- neither of which has been common.
Nevertheless, the move comes just days after ISPs and businesses nationwide suffered attacks by the so-called "Blaster" and "Welchia" worms, which each relied on security holesin Microsoft Windows. Ironically, Microsoft released a patch for the vulnerability in March, but a large number of users and IT admins evidently hadn't applied the fix.
Such security holes promoted the thinking behind Microsoft's aggressive stance on Messenger upgrades, said sources close to the company.
Earlier this year, Microsoft's Passport authentication system itself -- also in use at Hotmail, MSN.com, and a number of partnered sites like eBay -- came under scrutinyfor security holes in the way that it enables users to login to MSN Hotmail.
The efforts to safeguard MSN Messenger and Windows Messenger also highlight the relative perils of public instant messaging use -- and the reason that businesses are turning to enterprise-only IM systems, or installing additional network protections to secure their employees' use of public IM.
Windows Messenger is being phased into a client for Microsoft's Live Communications Server, the enterprise IM system formerly known as "Greenwich." The hotly anticipated server software was released to manufacturing for distribution earlier this week.