Microsoft Messenger Virus Hits Reuters IM

steman writes "Reuters had to temporarily shut down its private instant messaging service after being targetted by the W32/Kelvir-Re trojan. Reuters Messaging is implemented with Microsoft messenger technology and has more than 60,000 users. When activated, the Kelvir trojan sends itself to all users contacts via email and IM. Francis deSouza, chief executive of computer security provider IMLogic, said 'It just generated a flood of instant messages, so it suddenly slowed down the network for legitimate traffic. This is certainly a wake-up call, IM is just like any other communication media. The media needs to go hand-in-hand with security.'"

Duh!

[McGiraf]

"This is certainly a wake-up call, IM is just like any other communication media. The media needs to go hand in hand with security."

well duh!

Re:Duh!

[Seft]

I think they meant

"This is certainly a wake-up call, IM is just like any other communication medium. The medium needs to go hand in hand with security."

Re:Duh!

[SirPrize]

Wake up call to Slashdot too - this happened TWO WEEKS AGO. When I read this on Slashdot today, I immediately thought "dupe" because I remember reading about this before. I was mistaken though - this story was never posted. The Register posted the story almost immediately, though.

We haven't had that wake-up call yet?

[rlamoni]

I think many IT departments restrict the use of IM software for this very reason.

Re:We haven't had that wake-up call yet?

[pacroon]

But that shouldn't really be necessary to prohibit software use by their employees.

Re:We haven't had that wake-up call yet?

[Richie1984]

Which is a shame because whilst IM can be used for a lot of negative purposes, such as transfering virii or timewasting, it can also be used for a lot of positive reasons in business. For instance, it can provide, in my view, a more rapid and more effective way of communicating over long distance than email (obviously if both users are online at the same time). This can lead to greater communication within a company. IT departments should think carefully before banning IM programs across the board.

Re:We haven't had that wake-up call yet?

[FuzzyBad-Mofo]

My company has standardized on AIM. It's a critical tool for the business, as much as the telephone or e-mail.

Re:We haven't had that wake-up call yet?

[FriedTurkey]

When our IT department took away IM, I thought it would decline the my productivity. It actually increased my productivity and I would never want IM back. There were too many annoying IMs from people who can immediately IM you with total crap. They first take some time to look at it themselves now because they have to expend extra effort to get on the phone or send an email.

Having IM is kinda like having everyone at your company working in your cubicle. Anyone can just blurt out some kind of crap without thinking it through.

Try turning off IM for a day and see how much real work can get done.

Re:We haven't had that wake-up call yet?

[mordejai]

No, they don't.

Most of them restrict IM so the employees don't waste their time chatting.

But, as with almost every tech problem, 50% of it can be fixed with cultural changes.

Re:We haven't had that wake-up call yet?

[AyeRoxor!]

When our IT department took away IM, I thought it would decline the my productivity. It actually increased my productivity and I would never want IM back

There's plenty of people who would say the same thing about many modern conveniences. The funny thing is, you basically admit that it was your use of IM that was the problem.

This is typical. Person A has a problem where they can't stop using item X. Person A therefore campaigns for the restriction of item X, regardless of the positive results of others, and infringing the rights of all other persons who can actually control themselves.

Re:We haven't had that wake-up call yet?

[losman]

I can see your point but then I have to ask, who is to blame for the poor usage? Is it the person who is sending the crap to you or is it you that allows that person to send crap to you?

My company has IM and it has the Nextel phones with the two-way radios. When I first joined the company as a team lead I was given the phone. I turned around to each of my employees and peers and stated: you can 2-way page me on this phone if and only if the sky is falling.

As of today, 18 months later, I have not received one 2-way page. If and when I do receive one I know it will be becuase of a true emergency.

You have to tell people how to communicate to you. If someone sends you crap that you don't want, politely ask them not to. It is that simple. My wife use to email me jokes/pics and I finally turned to her and said don't. Unless you know it is something I would like, don't send me the stuff. She sends me something about once every two months.

It's not the technology. It's the people who send crap and the people who allow it to be sent to them.

Re:We haven't had that wake-up call yet?

[gstoddart]

I think many IT departments restrict the use of IM software for this very reason.

An increasing number of companies are rolling out IM in house. Set it up so your staff has access to your own secure thing and it's at least held within the VPN.

In this case, their in-house solution was based off Microsoft stuff that got breached. It sucks, but road warriors (and those clueless people that always download this stuff no matter what) cause this.

The scary thing is that corporations have such large internal infrastructure that they can't really secure. You'll probably see more of this within large companies.

Cheers

Re:We haven't had that wake-up call yet?

[FriedTurkey]

This is typical. Person A has a problem where they can't stop using item X. Person A therefore campaigns for the restriction of item X, regardless of the positive results of others, and infringing the rights of all other persons who can actually control themselves.

Infringing on rights? Having IM at work is not a Constitutional right.

That's great when you have a choice of IM. If IM is allowed at work, the managers are going to require me to sign-in everyday. I really don't have a choice when somebody IMs me over stupid crap. None of IM services have a "crap filter". If I turn off my IM my manager will be like "turn on your IM so I can IM you stupid crap all day". There is no way to tell people "don't IM me stupid crap". People don't realize thier crap is stupid.

If corporate policy is to allow IM, the corporations are going to want to be able to IM you. There is never going to be a corporate policy of allowing IM for personal use only. That's like allowing a slacking device on you computer. Corporations should be allowed to block IM if you are not doing it for business use. You are allowing a hole into the network for viruses and you are allowing a huge productivity killer.

Do I miss talking to my friend and family at work? Not really. It is really intrusive to have a pop-up box with some crap when I am trying to get something done. Send me an email and I'll respond to you when I am not in the middle of something.

The mind can only handle so many distractions. Constant interuptions into thoughts actually stresses people out.

A IM free workplace is like working in a quieter room.

Re:We haven't had that wake-up call yet?

[FriedTurkey]

I can see your point but then I have to ask, who is to blame for the poor usage? Is it the person who is sending the crap to you or is it you that allows that person to send crap to you?

I would like to tell my managers to stop IMing me crap but I would probably get fired. I have 5 managers ala Office Space. When something goes wrong, I have 5 IM windows saying: "Did you not get the memo about the new T.P.S. report?"

Re:We haven't had that wake-up call yet?

[Yaro]

I second that. I've come from one extreme to the other, I can no longer stand being interrupted any time by an IM client.

"Instant" is too much stress. Mail makes filtering and postponing easy.

Re:We haven't had that wake-up call yet?

[Ilgaz]

Why not install/purchase a closed to outside jabber server/client system?

I don't think the ones below will have such a problem.

http://www.jabber.com/index.cgi?CONTENT_ID=34

IM, when used for business purposes is a good tool. Installing MS Messenger, is plain funny. Especially for a news agency which everything is critical.

Re:We haven't had that wake-up call yet?

[Matilda+the+Hun]

Nah, it's just because they don't want people IMing friends during office hourse, the same way they don't want personal calls during office hours. Companies aren't far-sighted enough to have a reason like security for any no IM-ing rules.

Re:We haven't had that wake-up call yet?

[ben_fucking_franklin]

Dude, that's a corporate culture and/or a personal dicipline issue. Learn how to tell people to f*ck off unequivocally, and most of them will respect you for being forthright. Never ever be nice to people who want to see themselves as funny, intelligen, or who want to kill time. They will do so at your expense and regret.

Re:We haven't had that wake-up call yet?

[RedBear]

Having IM is kinda like having everyone at your company working in your cubicle. Anyone can just blurt out some kind of crap without thinking it through.

There are solutions to this sort of situation that don't necessarily involve cutting off a handy communication medium entirely. At least in ICQ, you can make yourself invisible to everyone but certain individuals, or to be slightly less sneaky but still emphasize the point that you're busy and trying to get work done you can make yourself appear as "Busy" or "Do Not Disturb" to the annoying individuals. Kind of like using an answering machine or caller ID to screen your calls, but more versatile.

Now, if not a single person you were chatting with was helping you be more productive, then by all means turn it off.

Re:We haven't had that wake-up call yet?

[AyeRoxor!]

Infringing on rights? Having IM at work is not a Constitutional right.

Not all rights are declared in the Constitution. In fact, the way the US Gov't is set up, anything NOT specified as illegal is a right. Here's a quarter. Buy a book or two.

If IM is allowed at work, the managers are going to require me to sign-in everyday. I really don't have a choice when somebody IMs me over stupid crap.

Sounds like your workplace sucks. IM is allowed at my place of business, and there are no rules about it. (And yes, I am the network admin.) If, at the end of the day, people have done their job, all is well. If they haven't, nobody cares why. The fact is they haven't and the possible results are the same as they have always been.

If I turn off my IM my manager will be like "turn on your IM so I can IM you stupid crap all day".

He pays you for that right. It's a situation to which to implicitly agree by continuing voluntary employment. Don't like it? Quit.

There is never going to be a corporate policy of allowing IM for personal use only.

Have we jumped to the "rediculous extreme therefore everything else I've said is right" logic fallacy already? I'm more than a little disappointed.

You are allowing a hole into the network for viruses and you are allowing a huge productivity killer.

Computer policies are clear and file transfer over IM ports are closed. Nothing is iron-clad, and if they violate policy and infect a system, they are fired. As for a 'huge productivity killer', I bet there were people like you whining when phones were brought into the workplace.

The mind can only handle so many distractions.

Sounds like 'the mind' thinks he's a bit more representative of the entire world than he actually is.

Re:We haven't had that wake-up call yet?

[OaXlin]

Wow, I wished I could say the same.

Those same stupid people usually just call me on the phone. Phone conversations take MUCH longer then IM. I cant ignore them as easily, or hide my tone of utter disgust for thier stupid question.

Story is 2 weeks old

Trust /. to post an April 14 story as though it's news.

Re:Story is 2 weeks old

Trust an anonymous coward to troll a story..

Why isn't filtering more instantaneous?

[PornMaster]

Hell, I get 3-4 "(i from forum)" add-to-contacts requests a day if I leave ICQ up. That's something that could easily be blocked with some kind of regex on the ICQ servers. It's really frustrating that there aren't more spim blockers implemented.

Re:Why isn't filtering more instantaneous?

[0x461FAB0BD7D2]

In ICQ's Security and Privacy Permissions settings, you can choose to decline World Wide Pager, EmailExpress and other forms of spam.

I'm using 2003a, so your settings may be different.

Re:Why isn't filtering more instantaneous?

[BinLadenMyHero]

Quit whining and move to a better IM client that is light, but has this and countless other features as plugins.

Re:Why isn't filtering more instantaneous?

[PornMaster]

I was using Miranda, but someone with whom I needed to communicate, who uses the ICQ client from ICQ.com wasn't receiving messages from me. I made sure I had the latest Miranda, and it was no help. Immediately upon installing ICQ Lite, everything worked.

Re:Why isn't filtering more instantaneous?

[Jenty]

well, yeah.. i use miranda and i get those annoying requests-spam "did you write about the service ? and some url". Any suggestion how to kill it ?

Re:Why isn't filtering more instantaneous?

[BinLadenMyHero]

Yes.
A friend of mine told be about a wonderful service that searches the Web, called Google. It has a nice feature that you can limit the sites where it will search for.

Try spam plugin site:miranda-im.org, and choose from many spam filtering plugins there.

Re:Why isn't filtering more instantaneous?

[Trejkaz]

I bet if they fixed their client, it would have worked too. :-/

Old News

[thetamind_pyros]

Ummmm.. check the date on that article. This happened 2 1/2 weeks ago. I thought this was a NEWS site.... Oh right, I shouldn't make such assumptions.

Re:Old News

[MoogMan]

Slashdot: Olds for Nerds, stuff that mattered.

Re:Old News

[kfg]

"I shouldn't make such assumptions."

Correct. This is primarily a news reposting site, in order to generate discussion.

It's a forum, not a newspaper.

KFG

Re:Old News

[thetamind_pyros]

Exactly. Because to assume...

...just makes an ASS out of U and ME.

Re:Old News

Correct. This is primarily a Apple/Google/Linux Fanboy site and a Microsoft bashing site, in order to generate ad revenue.

It's a forum, not a newspaper.

Fixed your typos.

Re:Old News

Okay... But what's there to discuss?

- Kelvir trojan bad
- Reuters IM good
- I like pie

Microsoft messenger??

[advb89]

Well it is implementing Microsoft Messenger...

Didn't Microsoft fix this a while back?

[kc32]

Isn't this why Microsoft forced me to upgrade MSN Messenger to a version that wouldn't even _INSTALL_ on my computer?

I had to copy a good installation file by file to get the new version.

obligatory simpsons quote

HA HA!!!!!!

ufpdom :P

security !

[Riiz]

humm !! security issue again....

Microsoft

It is a good thing they chose that name synonymous with security: Microsoft!

Again, tell me why capitalists choose to pay a lot of money to other businesses in order to get software which is available (and more secure) for free(?).

I have to believe corporations also suffer from brandnameitis. It's a shame.

Re:Microsoft

No one needs to. They work.

Re:Microsoft

Sure they do. You have to pay for it, but it's much less expensive than the brand-name, corporate-culture route. And, with the security inherent in the open-source IM protocols and software, there is much less need for any support to begin with.

Re:Microsoft

you ACTUALLY think you can get support from microsoft?

oh go home and learn to be a plumber

110 million users

[MarkByers]

Yeah, at least 110 million people use it:

http://bink.nu/Article620.bink

How inconveniant

Ofcourse with access like this someone could have started a rumour that saudi ariabia would decrease/increase oil production, a merger between X and Y was going through/south, public figure x was assasinated, or a group calling itself l337 cr3w had bombed a major oil pipeline. If convincing, the rumour might be spreaded along with a reuters mark of credability acceptable everywhere where oil/stock/currency-prices and foreign policy are decided...

Why is it that whenever a worm hits a high profile system noone talks about the potential consequences? A worm hitting ATM`s? how inconveniant if you need cash! Windowsupdate.microsoft.com spreading code red... how dumb of microsoft...

How is it noone mentions that humanity knows how to write software that isn`t more worm prone then the stuff that got hit by the morris worm twenty F#$%ing years ago? If people mentioned this from time to time consumers might starts asking for computers that don`t turn into spamming, DDoSing zombie whores at the first sign of an overflow exploit. It would be more productive then the ones with the most megahurts marchitecture eye candy.

Re:How inconveniant

[SuiteSisterMary]

How is it noone mentions that humanity knows how to write software that isn`t more worm prone then the stuff that got hit by the morris worm twenty F#$%ing years ago?

So how do you write software which is usable by humans, but not usable by worms?

Besides, reference the huge outcry against Microsoft in trying to do just that with the XP TCP/IP stack; things like limiting half-open connections gets them yelled at.

What it comes down to is, however, that if a system is usable, it's abusable. If your car can drive to the left, down a road, it can drive to the left, into a pedestrian. If your mail program can send a picture of an x-ray to your doctor, it can send a picture of the goatse.cx man. If your OS can execute a program to let you do your finances, it can execute a program to then send that data somewhere.

Re:How inconveniant

If your OS can execute a program to let you do your finances, it can execute a program to then send that data somewhere.

Why should your os allow access to financial files to a program that it allows it to send anything anywhere but your bank as identified and certified by a trusted third party?

So how do you write software which is usable by humans, but not usable by worms?

Thats what people asked themselfs when working on openvms and multics, its what they wondered about after the morris worm. The people who found answers where not obducted by aliens after they did! They where just ignored for a decade, which may be even worse... well for the rest of the world anyway.

Most of the answers are right in the orange book. Another answer is not to use a language/platform that allows for buffer overflows when doing something mundane.

I am not saying these ideas are perfect, I am saying they are almost thirty years old but not advertised at compusa! They are currently being "reinvented" very very slowly. AMD offers memory that is hard to run instructions from, microsoft started adding bufferoverflow fighting tricks to its compiler and from time to time compiles some of its producs with it. Unix alikes have trouble deciding their aproach but there is progress. Also the linux kernel has room for setting files to something more subtle then 666. Java has a somewhat complete reference monitor... but ofcourse noone uses it becouse an application taking a little more time to start up takes more time then cleaning out an internet explorer abusing piece of malware... Microsoft for the first time ever sacrifices backwards compatability for security in servicepack 2 and what do people do? They whine about it..

people should start trying to make secure systems useable again instead of just making them insecure. The first step? explaining everyone that current insecurity is the couse of much lost time and will cost much more money then a bit of DDoS here, mixed with ID theft and the occasional bank heist using a keylogger.

Re:How inconveniant

[m50d]

This is nothing of the sort. There's no overflow or to anything. It's an ordinary executable, called something like "pic.exe", then when run it sends itself to your contact list saying "Hey, I look great in this nude pic" (I forget the exact message). The sole blame for such outbreaks is clueless users, the only way to stop them is to make more intelligent users

Die IM, Diiiieee

[blackicye]

I'm wondering if I'm the only one who is annoyed by IM Services.

I used to use ICQ way back in the day, but found it to be more of an annoyance than anything useful.

My rationale is, if its not important, send me an email. If it _is_ important, give me a call.

Otherwise, bugger off! I'm not interested..

Re:Die IM, Diiiieee

[carambola5]

While obviously not the main reason most people use IM, some of us do have friends on different continents with whom we'd like to have conversations. Phone is out of the question, and email is too choppy.

Re:Die IM, Diiiieee

[PhoenixFlare]

I used to use ICQ way back in the day, but found it to be more of an annoyance than anything useful.

If you don't want to be messaged about every little thing, then inform your contacts of that fact, and use the features (closed buddy list and such) that keep random people from talking to you.

My rationale is, if its not important, send me an email. If it _is_ important, give me a call.

So you use email for real-time communication when you can't (or don't want to) call someone on the phone? Seems pretty inefficient.

Re:Die IM, Diiiieee

[FriedTurkey]

I agree. For personal time it is great to talk to friends. For work it is pure hell. A manager with your IM is like having him/her right next to you all the time telling you stupid crap all day long.

Re:Die IM, Diiiieee

[tomjen]

voip
You get to hear there voice too.

Re:Die IM, Diiiieee

Didn't you mean "You get to here there voice to"?

Re:Die IM, Diiiieee

[fvbommel]

VoIP requires extra hardware (Not everyone has a microphone, though speakers are common enough). IM only requires a keyboard, a monitor and a network card, that's it.
Plus some people don't speak too clearly, especially in anything other than their native language.
(Let's not get into non-native spelling. Or native spelling for that matter, as some of the worst English spelling I have ever seen came from the keyboard of an American)

Re:Die IM, Diiiieee

[dbIII]

some of us do have friends on different continents with whom we'd like to have conversations

But if you are doing it at work using email will tend not to piss off those around you so much as IM. If you are interactively writing messages you have less attention to pay to those who are phyically near you, or whatever work you are doing - and it makes sysadmins look bad if they are helping you to do this.

Wait until you get home.

Yahoo! IM

[G1aucon]

It's too bad there isn't more adoption of YIM. In terms interface and usability, it far outranks AIM or MS.

Does anyone know why Yahoo! has had a hard time catching on? Is it just a diffusion effect? E.g., if all your friends have AIM, you have to use AIM, too?

Re:Yahoo! IM

[pacroon]

No, then you should use GAIM :)

Re:Yahoo! IM

What are you talking about ? Loads of people use Yahoo Messenger. And for good reasons:

1. It's free

Re:Yahoo! IM

[badriram]

Been there used it for a while, loved tabs, and other plugins. Hated the occasional crashes, hated having to update every 2-3 weeks. Hated not having audio or video conversations. Hated not having the new features that were part of MSN(expressions etc.). So i switched back.

Re:Yahoo! IM

[menace3society]

How about, everytime my sister launches YIM (on Windwos) it takes over the IE toolbars and sets itself up to load automatically the computer boots? No, that couldn't be it.

Re:Yahoo! IM

Yeah for some odd reason Yahoo! Messenger (yahoo.com) cannot communicate with Yahoo! Messenger from other regions (not yahoo.com)

Re:Yahoo! IM

[kurzweilfreak]

Heaven forbid you have to choose options during install or *gasp* look at the preferences.

Re:Yahoo! IM

[Chiisu]

Acutally, most of the people I chat with use Yahoo. Very few use MSN, and only a few use AIM. I'm not too found of their program though, I prefer Trillian or GAIM (on Mac the Yahoo program isn't too bad, though I wish iChat supported it....)

Re:Yahoo! IM

[junkcode]

I'm not much of a fan of Yahoo! IM for a variety of reasons, one of 'em is because "invisible mode" doesn't really serves the purpose. Check http://www.buddy-spy.com/ MSN Messenger used to have a snag in their protocol that revealed the 'online' status of people who blocked others. They seems to have patched that now. So, personally, I prefer MSN Messenger to Yahoo! IM.

Re:Yahoo! IM

[petermgreen]

sure but what is im software doing screwing with those things in the first place.

or putting them back automatically when someone tries to remove them.

if i remove something from the startup items or a toolbar from my browser it shouldn't go putting them back without permission.

Re:Yahoo! IM

[kurzweilfreak]

I don't know what you're talking about, I've never seen Yahoo change those settings once I've set them. Don't install the toolbars in the first place (you have the option during installation). I think you also have the option of whether or not to have Yahoo start up with Windows.

Re:Yahoo! IM

I use AIM because it lets me have clients on multiple machines simultaneously. Usually, I have it on the desktop I'm on and on my notebook which is usually in my living room. I never have to worry about logging myself out of one or the other... wish YIM would support something like that.

Interestingly, I have something similiar setup with my VOIP phone. With its simu-ring call forwarding, I can have incoming calls ring both my VOIP and my cell at the same time. Whichever one I answer first gets the call. (And if not, my cell phone's VM wins and gets the message.)

Don't blame Microsoft for this one.

[MarkByers]

No blaming Microsoft for this one. This time it is definitely the users' fault. The trojan simply sends a link to the contacts inviting them to download and run an executable.

And people still do it!? What will it take before people learn?

Re:Don't blame Microsoft for this one.

I work for a company that MANUFACTURES COMPUTERS that had to disable messenger file transfer because of dipshits like these.

Re:Don't blame Microsoft for this one.

[badriram]

MS got blamed when users opened attachments
MS got blamed when users clicked on Yes to Install with ActiveX (I realize the wording could have been better)
MS got blamed when Admins did not install patches, Code Red, Slammer etc

MS will always get blamed whether it is their fault or not. However there are always thing you can do in software that help the Technically challenged. It just like a security in an company, you need to account for people that do not know what they are doing, and train/create policies/restrict them.

Re:Don't blame Microsoft for this one.

I work for a company that MANUFACTURES COMPUTERS that had to disable messenger file transfer because of dipshits like these.

Everyone should shout what their company does.

Re:Don't blame Microsoft for this one.

People can be duped in the real world too. However, we pick up innate warning signals that let us deal with potentially dangerous in the real world without giving it much thought. Most security dialogs on the computer however are not designed to exploit these warning signals, because they require the user to read text, think about it, and take appropriate action, which requires active participation, instead of just instinctive action.

When you ask a simple question in a dialog box, a lot of users tend not to read the question and just click yes. If you trip them up and make "no" the confirming action, they will repeatedly open the dialog, click yes, open the dialog, click yes, until after several times they will often give up or click no, still without having read the actual message. If you've never seen this behavior, you haven't watched enough "regular" people use a computer.

Why do software builders still insist on handling security through text-based dialog boxes when it is well known a lot of people don't read dialogs?

If you ask me, instead of a text-based dialog box it should show an image of a fortress, with a green arrow labeled "you are here" pointing inside the fortress, and a red evil-looking guy with a question mark above him standing in front of the gate, with two arrow buttons next to him. One pointing towards the fortress, one pointing away. The one towards would confirm the security downgrade action requested. Mapping the action that way to something people can relate without thought to the real world would help a LOT in dealing with the realities of user behavior.

Re:Don't blame Microsoft for this one.

If when you start windows for the first time there was a little popup that said: "Remember kids, installing random executables is dangerous; viruses live in executables.", this problem would be much smaller than it is.

And people still do it!? What will it take before people learn?

People wont learn until someone bothers to try and teach them!

No blaming Microsoft for this one. This time it is definitely the users' fault.

This is microsoft's fault. MS knows that new users aren't going to be afraid of EXEs and they are in a position to do something about it, but they do nothing.

Re:Don't blame Microsoft for this one.

[marcosdumay]

Dialog boxes with pictures help only to confuse the user. There is no better stuf than text to put into them.

The probem you are pointing happens because some systems abuse of dialog box, they appear all the time, so the user don't care about them. The solution is simple, just use dialog boxes to ask the user for directions, never confirmations (unless there is something very dangerous). Dangerous actions should be hard to execute. So, the system should require concentration to execute the attachment, not to cancel the (easy) execution.

Re:Don't blame Microsoft for this one.

I think the stress is to say that even people who manufacture computers can be fools.

Re:Don't blame Microsoft for this one.

[xander2032]

See, and it sounded like a big deal! lol is that all? Then I don't see what the big fuss is about. How stupid are people?

You can tell them a million times to not click on something, yet they still will. Then they'll bitch and moan about how their computer is infected with a virus, spyware, etc..

People like that drive me crazy! I know I surely don't feel sorry for them.

I tell my family all the time, don't click on shit!!! But do they ever listen? nope...

The internet is only a dangerous place because it's filled with people who don't know any better! If you're going to use something, at least know what the hell you're doing. Is that too much to ask of people??

Re:Don't blame Microsoft for this one.

What will it take before people learn?

Mustard up the ass

Re:Don't blame Microsoft for this one.

[Tenareth]

There is no denying that Microsoft created this culture of "Click on anything you see".

Grrrrrrrrr....

[Spoing]

• This is certainly a wake-up call, IM is just like any other communication media. The media needs to go hand in hand with security.

We [explitve deleted] know that!They don't seem to be listening. AGAIN.

Re:Grrrrrrrrr....

[dioscaido]

Messenger patched the vulnerability a few weeks ago.

http://www.microsoft.com/security/incident/im.mspx

Re:Grrrrrrrrr....

[Spoing]

Messenger patched the vulnerability a few weeks ago.

Thanks, though that's beside the point.

Microsoft should have designed with security in mind in the first place. That they didn't is proven by the need for the patch at all. Is the fundimental problem solved? I don't trust that it is.

Re:Grrrrrrrrr....

[PornMaster]

No, the fundamental problem isn't solved. The fundamental problem is the same people who forward urban legends around the net.

Unfortunately, we still can't figure out how to stab people in the face over the internet

Re:Grrrrrrrrr....

>>Messenger patched the vulnerability a few weeks ago.

Thanks, though that's beside the point.

Microsoft should have designed with security in mind in the first place. That they didn't is proven by the need for the patch at all. Is the fundimental problem solved? I don't trust that it is.

This would imply that neither Linux or Mac OS is designed with security in mind, because they certainly need patches.

Re:Grrrrrrrrr....

[Spoing]

"Microsoft should have designed with security in mind in the first place. That they didn't is proven by the need for the patch at all. Is the fundimental problem solved? I don't trust that it is."

This would imply that neither Linux or Mac OS is designed with security in mind, because they certainly need patches.

Only on the most superficial levels. It's not quite the same thing if the design encourages bad behavior and the patch doesn't deal with that. If the system can't be secured without a patch it is defective.

In the case of most other popular operating systems, the systems come with services and options that can be insecure turned OFF by default. The patches for security problems deal with situations when the by-default-off defective services are turned ON.

That's why you can't interest most people using non-Microsoft operating systems in virus and spyware detectors...unless they are running a mail filter for Windows users.

stupid virus

[dioscaido]

The user needs to click on a link in the IM message, and needs to click on 'yes' on the XPSP2 warning about running unkown executables.

If I'm not mistaken, didn't this vulnerability get fixed a while ago on MS/MSN Messenger?

Re:stupid virus

[Spoing]

The user needs to click on a link in the IM message, and needs to click on 'yes' on the XPSP2 warning about running unkown executables.

Just like the majority of Outlook and many IE hijacks? Microsoft hasn't seemed to have learned from the past at all; they keep repairing the same defects over and over when they could eliminate the problem at design time.

Re:stupid virus

Of course if you are running Windows 2000, you won't get a prompt. It is still very common for companies to be using Windows 2000 and it is supposedly still supported by Microsoft.

Re:stupid virus

[dioscaido]

How would they fix this vulnerability at 'design time'? Disable links in IE, OE and Messenger?

Re:stupid virus

>>The user needs to click on a link in the IM message, and needs to click on 'yes' on the XPSP2 warning about running unkown executables.

Just like the majority of Outlook and many IE hijacks? Microsoft hasn't seemed to have learned from the past at all; they keep repairing the same defects over and over when they could eliminate the problem at design time.

That's a strange response to the text above, and would apply to Linux, Firefox, or Mac, as well. Unless you want an OS that stops an user from saying "yes, I am sure I want to install this". I certainly don't.

Re:stupid virus

[Spoing]

"How would they fix this vulnerability at 'design time'? Disable links in IE, OE and Messenger?" Disable them for untrusted transactions...like auto executing programs? YES.

Re:stupid virus

[ad0gg]

So people couldn't recieve attachments or send stuff over messenger? Umm. Yeah. Thats helpful.

Re:stupid virus

[Spoing]

"So people couldn't recieve attachments or send stuff over messenger? Umm. Yeah. Thats helpful."

You have to mangle quite a bit to come to that conclusion.

Re:stupid virus

[statusbar]

In the case of standalone powerpoint 'executables', it is true...

The whole system is broken, not just IM.

jeff

This is a good start...

...but I hope this virus scales well. Disrupting IM services, even briefly, will make people less dumb and more productive. This is definately a case of "it's not a bug, it's a feature!"

AOL,Yahoo & MS

[goombah99]

so does AOL and yahoo also have these sorts of breeches from time to time? or is this just another MS exclusive?

Not trying to flame here but there is always this raging debate on whether MS is the brand for those desiring insecure solutions or if its just a matter of size making it a media of exponential viral growth. We have one key data point which is that its' web server technology gets hacked more than say, Apache. It's important since Apache is as big as MS in that, neutralizing partly the size issue (al beit Apache is less homgenous than MS server so it's not perfect)

Now we have an IM data point. This is more interesting since here we do have three homgenous IM sources of large size AOL, MS and Yahoo. So I wonder how often these other brands get hacked. Anyone know?

Re:AOL,Yahoo & MS

[penix1]

Microsoft makes itself a big target not only politically but technologically. It is their "extend, embrace, extinguish" attitude that got them into this mess (and other messes as well) when they integrated all their competition's code into the OS. It is sad really that "innovation" to Microsoft really means "acquire".

B.

Re:AOL,Yahoo & MS

[Cromac]

AOL IM has had plenty of security holes as well, it's just more in vogue to bash MS on Slashdot.

Google

Another question is does Trillion or other third party IM tools that connect to these networks have similar security breachs?

Re:AOL,Yahoo & MS

[jerw134]

We have one key data point which is that its' web server technology gets hacked more than say, Apache.

Can you point me to the list of security problems that IIS6 has experienced? Or are you just basing your point on outdated information?

Re:AOL,Yahoo & MS

[hostyle]

No one uses IIS6. Same reason why Linux and Apple have so few bad sploits.

Re:AOL,Yahoo & MS

[jerw134]

Actually, I think it actually has more to do with the fact that it's secure by default. But then again, I actually know what I'm talking about.

Re:AOL,Yahoo & MS

ah you're the sort of girl who thinks a Convicted Rapist just wants to leave it all in the past

Re:AOL,Yahoo & MS

[cbiltcliffe]

Ok...let me get this straight....

Linux and Apple don't get hacked because nobody uses them, and IIS6 doesn't get hacked because it's secure by default?

But Windows gets hacked because of it's high marketshare, right?
So what's the difference between Apache and Windows?

Re:AOL,Yahoo & MS

[drsmithy]

So what's the difference between Apache and Windows?

Windows machines represent a significant proportion of the target space (all internet-connected machines).

Apache machines represent only a tiny proportion of the target space.

If you want to compare market shares with respect to attacks, you have to keep the thing being attacked consistent. Apache has a large proportion of the webserver market, true, but the webserver market represents only a tiny share of all internet-connected machines, where Windows has a significant proportion of all internet-connected machines.

Re:AOL,Yahoo & MS

Dream on Dr Smith. Web server attacks are indpenendent of server attaks. the holes are different. IIS attacks need to be compared to Apache attacks. So where's the apache attacks Dr Smith?

Re:Microsoft Messenger?

[dioscaido]

LOL. You will not believe how much time I waste now using the Ink functionality on MSN Messenger 7.

Hahaha

If they didn't see that coming (using Microsoft infrastructure), they certainly deserved the downtime.

When will people like this finally wake up?

Re:Hahaha

Interestingly enough, the vulnerability was due to the use of an open source PNG library:

http://www.libpng.org/pub/png/libpng.html

Note the issue mentioned with version 1.2.5.

Why is IM better than a phone?

[goombah99]

I'v never "gotten" IM. never even tried it. I could never see why it was better than a phone call. Anyone care to explain this to me?

Re:Why is IM better than a phone?

Because saying "Go to www.example.com/reallylongurl?anddontforgetthepara mters=too" takes more time than copying a link and it pasting it.

Re:Why is IM better than a phone?

[TeknoHog]

When you're discussing technical matters, it's easier to type a piece of source code or something, than spell it over the phone, hoping the recipient gets it right.

When you're in a deep hack mode, typing a message is much less distracting than talking to someone.

Re:Why is IM better than a phone?

[RollingThunder]

It doesn't require you to sync up.

You can hold multiple conversations at the same time.

It indicates if somebody is in, without disturbing them like a phone call does.

I can deal with them in the order I choose, unlike phone calls.

You're comparing them to the wrong thing. Phone calls and IM's are different enough that they complement, not compete. E-mail, however, is closer to a competitor for IM.

We're trying out Office Communicator, and despite the fact that the UI was done by an absolute moron (can't supress offline users? have to see the newbie text all the time? gah) the tool itself is pretty damned useful - and I don't often compliment Microsoft.

Re:Why is IM better than a phone?

[llamaluvr]

It's perhaps the only form of synchronous communication that is asynchronous enough that you can carry on multiple completely independent instances of it at once. In other words, I can have 5 or 6 completely separate conversations on IM at once, whereas I can only have one of those one the phone.

Re:Why is IM better than a phone?

[sydb]

1. Maybe you should try it then you might understand it?
2. IM is not really Instant, it's almost-Instant, which means you get a chance to read what you're about to say.
3. Go right ahead and type, you don't need to wait for the other party to finish their utterance
4. you can copy and paste things into IM. That's quite hard over a phone call
5. you get a log of the conversation. So if you need to go back and check a fact, you can. It's possible to record phone calls too but in IM it's automatic and it's much easier to search text than audio.
6. By logging into IM you are announcing your availability for chat. Not so with a phone call, which is a polling system (ring ring)
7. Lying requires less work
8. But really you have to TRY something before you DISMISS it.
9. there's probably more.

Re:Why is IM better than a phone?

[eyegor]

Very true.

I frequently IM myself as a low-budget cut-and-paste between my computers. It requires 1 screenname for each machine, but it works great.

Most of the people on my team also use IM for the same purpose. We'd explored using jabber-based chat, but AOLs infrastructure is hard to beat.

Since AOL added the ability to have encrypted IM sessions between users, I don't have to worry about getting my sessions intercepted either.

A few years back, there were a rash of problems with users having their IM IDs stolen and used for human-engineering attempts. Self-signed certs are more than adaquate in order to establish an encrypted session. One just has to set up their own CA and get everyone on the team to trust that particular CA.

Re:Why is IM better than a phone?

9. there's probably more

I would add:

- You can have several simultaneous conversations
- You can easily invite others into conversations
- You can send files while talking
- It doesn't disturb your coworkers like phone calls do

And the log you mentioned is a big plus. I've often gone back to get info from the IM log.

In my experience the "don't get IM" often seems to be a generating thing.

Re:Why is IM better than a phone?

[Cromac]

5. you get a log of the conversation. So if you need to go back and check a fact, you can. It's possible to record phone calls too but in IM it's automatic and it's much easier to search text than audio.

In some states it's also illegal to record phone conversations without consent, I don't belive that protection extends to IM conversations. It's not something you usually have to worry about, but if you're IM'ing with your manager having a record of exactly what was said could save your bacon.

Re:Why is IM better than a phone?

[rmccann]

I read about a case that extended the 'no unconsented recording' rule to IM in some state, however it depends on the IM client/protocal. If you are using an IM client that doesn't do automatic loggin (ie it's off by default), then you have to ask before recording. If the IM client has recording turned on by default then you are allowed record. The logic being that users of it should know what they are using, and hence by using it they are aware of it's logging and agreeing to it.

Re:Why is IM better than a phone?

[drseuss9311]

I believe what you meant to say is that it is illegal to record a phone conversation that you are not a participant in. I have every right to record any phone call that I make or answer. Many cell phones provide an auto record feature for you and you can save the audio after the call has ended.

usual disclaimers apply (IANAL, etc)

Re:Why is IM better than a phone?

[mrchaotica]

IANAL either, but I think that in some states both parties have to be aware of the recording for it to be legal. This is why when you call companies you hear the "this call may be recorded for (whatever reason)" message -- they're legally required to tell you.

Re:Why is IM better than a phone?

[Nevenmrgan]

Bravo. Also, you can lead multiple conversations at the same time - not possible on the phone without multi-way conferencing which makes everyone aware of everyone. Being a designer, I'm also a huge fan of images embedded in the conversation stream (advantage over IRC). This makes visual brainstorming and critique requests super-easy. Biggest advantage over IRC - interface.

Re:Why is IM better than a phone?

[TCM]

It doesn't require you to sync up.

You can hold multiple conversations at the same time.

It indicates if somebody is in, without disturbing them like a phone call does.

I can deal with them in the order I choose, unlike phone calls.

Ah, you mean IRC.

Re:Why is IM better than a phone?

Nice troll.

I can't believe how many people fell for it.

Re:Why is IM better than a phone?

[lordkuri]

In Illinois, if you do that without notifying the other party, it's a felony.

better make sure your ass is covered before you do something stupid ;)

Re:Why is IM better than a phone?

[ricka0]

I'm not claiming to know anything about the laws about this... but from a logical point of view.

Since the employee isn't the person actually recording the call (rather some other company entity NOT part of the conversation), in that case it would be an outside party recording so they would have to tell you no matter what states were involved.

Re:Why is IM better than a phone?

[drseuss9311]

right, however... that is because the people doing the recording aren't participating in the phonecall.

Re:Why is IM better than a phone?

[RollingThunder]

You can hold IRC conversations with people not online at the time? Impressive.

Re:Why is IM better than a phone?

[TCM]

You can hold IRC conversations with people not online at the time? Impressive.

You can hold conversations with people who aren't even online with IM? That's even more impressive.

Seriously, that's the purpose of e-mail then, isn't it?

Re:Why is IM better than a phone?

low-budget cut-and-paste between my computers

If any of these computers are sitting right next to each other, and may benefit from sharing the same keyboard and mouse, you should check out Synergy. Sharing keyboard and mouse between machines, plus sharing of clipboard as well. Works really nicely.

Re:Why is IM better than a phone?

[assassinator42]

Not really. Since the employees know the phone calls could be recorded, that would satisfy the one party aware laws that some states have.

Re:Why is IM better than a phone?

When you're discussing technical matters, it's easier to type a piece of source code or something, than spell it over the phone, hoping the recipient gets it right.

When you're in a deep hack mode, typing a message is much less distracting than talking to someone.

But those both sound like situations in which e-mail would work fine. It's not _that_ slow.

Re:Why is IM better than a phone?

[RollingThunder]

Yes, I can. It's high latency, but it works, because once the person signs on to their IM, they get the message.

If I talk in an empty IRC channel, it's lost. No conversation, no matter what the latency. Note that I'm assuming nobody's using a logging bot to relay messages in this scenario.

Re:Why is IM better than a phone?

[x_terminat_or_3]

I don't know what OS you're using but on m$ for instance there is this utility called winpopup. The only requirement is that both machines are running winpopup and that they can see each other on the local workgroup.

On Unix and 'nix based OS's, many options are available to you. Like opening bash session from your local computer so you can paste directly onto the target computer without even leaving your own.

Comme and join us!

Re:Why is IM better than a phone?

[sydb]

Bravo

Why, thanks, I've never had a "Bravo" before.

Re:Why is IM better than a phone?

[spuzzzzzzz]

I frequently IM myself as a low-budget cut-and-paste between my computers.

You might find cpop useful. It doesn't seem to be under any sort of active development, but the stable version works fine.

Re:Why is IM better than a phone?

[eyegor]

I use a usb kvm between my win2k box and my G4. I frequently am SSHed into various Linux and Solaris boxes as well. cutting and pasting between terminal sessions isn't a big deal, but occationally I need to paste between GUI apps or paste URLs. I'll take a peek at a few of the aforementioned tools.

Re:Why is IM better than a phone?

[Trejkaz]

Now you're talking about specific clients. Remember, IRC is an IM system itself. In theory, someone could put images in the stream over IRC, if they figured out some kind of magic codes for it. Just like they do formatting of text, when strictly IM is plaintext.

Re:Why is IM better than a phone?

[Nevenmrgan]

In theory, yes. But one protocol is different from another in practice - in theory, each one could be tweaked to mimic all others (why not an FTP chat client?) IM is not a 'protocol' anyway, but a set of feature and interface ideas. Most IM clients support some or all of the features mentioned. No IRC client does, as far as I know.

Re:Why is IM better than a phone?

[Trejkaz]

I wouldn't say "most" IM clients support inline images. It's definitely a minority once you consider the myriad of clients which don't support them... there are a great deal more of these minimal clients than the full-featured clones of MSN and Co. So in theory? yes. And in practice? Also yes.

Jabber anyone?

[tabo_peru]

I'm running a jabberd2 server in my company with lots of users with no problems at all. It is free, stable and has a plethora of clients for all major platforms.

Is there a _serious_ msn-im feature that jabber lacks?

Re:Jabber anyone?

VOIP ? Video Conferencing ? Shared Whiteboard ? remote desktop sharing ?

Re:Jabber anyone?

[Ziviyr]

Remote desktop access should not be in an IM client.

Re:Jabber anyone?

[tabo_peru]

We already have all that (except for the whiteboard) in separate products, those things shouldn't be in a IM solution IMHO.

Re:Jabber anyone?

Since the Jabber protocol is open and extensible, would it not be simple to simply add Shared Whiteboard functionality to it (e.g. in the client, and as a layer superimposed over the usual communications)? Has anyone tried anything like this yet?

Re:Jabber anyone?

[Terrasque]

The userbase.

Of curse this doesn't matter much for a company-only IM service, but for the average person it's an important feature.

Re:Jabber anyone?

How about archiving all the instant messages communication for legal purposes?

Re:Jabber anyone?

[mikelieman]

I use the "Bandersnatch" component to archive all Jabber IM traffic ( Our companies mandated IM protocol ) to a mysql "database".

Re:Jabber anyone?

[HermanAB]

Why yes, Jabber's virus support really sucks...

Re:Jabber anyone?

[mrchaotica]

iChat supports video conferencing, and it's a Jabber client now.

Re:Jabber anyone?

VOIP ? Video Conferencing ? Shared Whiteboard ? remote desktop sharing ?

Funny, those all sound like standalone applications to me.

I mean really, Remote desktop sharing over IM? How does that work? "Hey Bob, here's a picture of my current desktop. Where should I move the mouse?" Anything more than that and it's not IM anymore, it's VNC. Hopefully they're just sending Remote Desktop invitations over IM. :)

Re:Jabber anyone?

[Kaenneth]

Those used to be free from Microsoft in Netmeeting; but Netmeeting is blocked from running on XP.

Re:Jabber anyone?

[Trejkaz]

Try using a client which has the features instead of whining about features which already exist.

business-critical....you can count on....Microsoft

[symbolset]

About Reuters messaging from the Reuters website at http://about.reuters.com/productinfo/messaging/

Scaled for peak traffic loads and monitored 24x7 by Reuters Technical Operations, Reuters Messaging provides you with a business-critical, fully hosted instant messaging and presence service you can count on. The service is based on Microsoft's implementation of the industry-standard Session Initiation Protocol (SIP) and is simple to install and administer throughout your company.

so will microsoft be held responsible ?

[Adult+film+producer]

There was a story on slashdot about a month ago, some microsoft shill was dis'ing Linux because of it's lack of support and indemification issues, all the more reason to go with Microsoft (presumably because they have to answer for these fuck ups.)

So microsoft will reimburse Reuters for this IM disaster, someone at microsoft will get fired at least ?

Whatever, microsoft is like the government... when people screw up they get promotions or Medals of Freedom..

Re:so will microsoft be held responsible ?

[Adult+film+producer]

haha, a troll against microsoft modded down on slashdot ? *eyes tearing up*

CTO should be fired

[WindBourne]

The people responsible for putting up a bad system should be fired. It seems like we no longer hold those accountable in the industry. we simply pass the buck. Oh, it is MS's fault. Well, the CTO made this choice knowing full well that MS is that way.

Re:CTO should be fired

It seems like we no longer hold those accountable in the industry.

or politicians, judges, military, corporations, financiers, citizens etc etc etc

responsibility is the old way, now we give people that are failures medals and golden handshakes oh and lots and lots of money,
modern world says just fail at what you are doing and you too can get more gold than winning the lottery except you get it every year !

failure is now rewarded in the western world, or haven't you been watching the news ?

of course its microsofts fault

its installed by default in Windows XP with no way of removing the thing other than editing obscure config files to make it appear in add/remove, the damm thing will pester you on every startup for a "MSN passport" to sign in so eventually the masses relent and fill it in and voila, another virus vector to add to the mess

funny how the EU isnt complaining about MS bundling chat programs by default, iam sure AOL/Yahoo/ICQ would of liked a piece of the action

Re:of course its microsofts fault

[dioscaido]

Options > Preferences > uncheck 'Run Windows Messenger When Windows Starts'

I agree it's a pain in the ass that it is turned on by default, but it's not exactly rocket science to turn it off.

Re:of course its microsofts fault

open outlook express/outlook
and it autostarts without any way to turn it off (other than deleting it)
if you do delete it (without uninstalling it) and it will bring OE/O to a crawl because of its registry entries tied into the system

you cant win, eventually people give up and do what it asks (just like spyware installers)
pester pester pester joepublic will relent and click OK

Re:of course its microsofts fault

[dioscaido]

Run Outlook Express > Options > uncheck 'Automatically log on to Windows Messenger'

Messenger won't come up automatically.

But again I agree it's a pain.

Re:Microsoft Messenger?

What choice? With XP (both Home and Professional) Microsoft Messenger is installed and running whether you want it or not! In addition, it is a PITA to remove. I think the DOJ forced Microsoft to make it easier to disable, but that of course assumes that the typical user is capable and aware of the need to remove it!

Details here:
http://www.theeldergeek.com/messenger_removal.htm

However, note (from the above source):
In none of the cases below is Messenger actually 'removed' from the system. You can hide it, prevent it from starting, disguise it, and fool the system into thinking it's not available - but it isn't removed. It's still on the computer and a part of the operating system.

Trillian vs MSN?

[rathehun]

I guess this is why Trillian updated the MSN plugin today. Seriously, I don't know why more people don't switch to either Trillian or Gaim.

Reasons? I would be interested in hearing why. I don't use Gaim much, but I use Trillian everyday.

There is no way I'm going to use MSN Messenger after that. So many more useful functions - default logging of chat...however I'm not sure about the security aspects, and how it compares with Redmonds offering.

R.

Re:Trillian vs MSN?

[YrWrstNtmr]

The security aspect here is the clueless user, not the tool. This does not automagically propagate. If you got an unknown link from someone in Trillian that says "Click here!" and you did click, then another popup that asks if you want to install 'SomeFunkyProgram', would you?

No, of course not. You have a bit of a clue. But that's exactly what happened here. The only way Trillian or GAIM would be 'more secure' than MSN Messenger (in this instance) is if they disallowed clickable links in IM's, and/or had no stored contact list. Both of which would be major reductions in functionality.

GAIM and Trillian DO have major functionality benefits over AIM/MSN/Yahoo (notably, multi protocol) but a clueless user is a clueless user, no matter what client they use.

Re:Trillian vs MSN?

[hass]

People don't use Trillian for the same reasons most people don't use Firefox or Opera. 1st. People don't know there are alternatives. If you did a pole on the streets, I bet 99% of people will have not heard of Gaim. Trillian is much more popular I would say. 2nd. People don't care about security. Most people really could care less about security because if their computer becoms loaded with viruses they will just have one of their techie friends fix it.

Re:Trillian vs MSN?

If you did a pole on the streets

I think that kind of thing's illegal, dude!

Re:Trillian vs MSN?

[Shin+Chan]

May I kindly point out that in MSN Msgr 7 there is a so called "Shield.xml" file that is being sent over the NS ("Notification Server", the main server that handles login, contactlist, etc) which is able to disable certain features?

For example, they did a testing "drill" in the BETA program not too long ago where they disabled Winks and DDPs, in another drill they disabled all clickable links. This in case a widespread virus would hit, they had the power to force the MSN Messenger 7 clients to stop accepting such material. Sure this can be circumvented by either a "man in the middle" or something similar, but if that happens then your PC has already been compromised.

Also, the dreaded .pif links have been disabled server-wise (all your messages containing ".pif" immediatly terminate the connection). On top of that there is file extension blocking in MSN Messenger 7, sending an exe for example will fail because the file is automatically being rejected. Microsoft can also force certain clients to be updated, for example when the PNG exploits appeared in the PNG library used by Messenge rthey forced 6.2 users to upgrade to the latest build. When there was an exploit found in the first leaked build of MSN Messenger 7 they disabled thae build from logging in as well (even though the blocking could be circumvented by a so called "CVR Patch", made by me ;-).

It's not the companies which create the products are responsible anymore, they already do their best; instead, the users need to "grow up". There are dangerous links, they should learn about that. There are tons of patches out there to circumvent the protection put there by Microsoft. If a user applies those then hell I dont blame Microsoft if the user gets infected, its the users own stupid fault because they dilebaretly crippled the programs security features.

As for Trillian vs MSN argument, I find that Trillian and other clients (like gAIM, which for example cna't view DPs of people who dont have YOU on their contactlist while there is no technical limitation to this) still lack certain features I like to use. Sure, if sending messages is all you need then go with either, but I still prefer the official client over the 3rd party applications. They just don't cut it. Yet.

Re:Trillian vs MSN?

I agree that the user need to click to propagate the virus however it is the tight integration between MSFT products that allows this to occur. MSFT Outlook contains all the email and IM addresses and allows automated scripts to run. Thus malicious code can be written to automate sending IMs to all of a users contacts causing havoc.

As far as I`m aware, Trillian doesnt have that kind of integration and therefore cannot be the originator of such an outbreak. Of course, it can receive an IM from someone else but Im not sure the virus could spread from a Trillian client.

Re:Trillian vs MSN?

[YrWrstNtmr]

Not sure about Trillian (don't have it installed ATM), but gAIM stores your buddy list (along with what system they are on) and account settings in regular XML files. Now tell me how that XML couldn't be read and used by an external malicious program. Something that has its own sendmail and messaging components.

Re:Trillian vs MSN?

[olman]

I guess this is why Trillian updated the MSN plugin today. Seriously, I don't know why more people don't switch to either Trillian or Gaim.

One word. Unicode. Yeah, I know it's a mouthful. But us funky europeans and our decadent slavic friends need more than just US-ASCII to communicate.

Correction...

[Caeda]

This statement...

"This is certainly a wake-up call, IM is just like any other communication media. The media needs to go hand in hand with security.'"

Should have been...

This is certainly a wake-up call, IM is just like any other "Microsoft Program". The Microsoft Program needs security."

There isn't a new yahoo virus flying around, nor is there an AIM virus flying around (sending a url that leads to a virus DOES NOT COUNT, as this is not the program itself spreading the virus but just a text link someone is stupid enough to click on) Nope, just Microsoft MSN viruses... Just like every other microsoft product?

Re:Correction...

[dioscaido]

Isn't it interesting how vulnerabilities in Firefox have spiked in the past 6 months since it's wide adoption? Could it be possible that widely used software is more likely to be targeted than those products with a small user base?

Re:Correction...

[lachlan76]

Could it be possible that widely uses software has more developers which can make/find vulnerablilities than those products with a small userbase?

Re:Correction...

[jo_ham]

Maybe, but look at Apache vs IIS.

Apache is the major player here, but I know which one has the most vulnerabilities and is responsible for most major net outages through malware.

Re:Correction...

I'm not sure why the above post was modded troll. Microsoft has bred a culture of irresponsibility in IT displacing decades of tried and true practices.

Re:Correction...

[ssj_195]

Not even remotely interesting, since most of those vulnerabilities were found by Firefox devs and hired auditing firms, rather than by seeing exploits in the wild. And how does "being a target" suddenly create more vulnerabilities? A vulnerability in a piece of software is either there or not, irrespective of how many people use it.

Having said that, I am of the opinion that as the number of people using Firefox increases, so will the number of exploits, but I can't imagine it ever reaching IE proportions; you pretty much have to design in that level of insecurity ;)

Re:Correction...

Isn't it interest how none of those vulernabilities are system crashing/destroying multi spamming virus infecting super vulerabilities like internet explorer?

Re:Correction...

[dioscaido]

:)

It's interesting to look into vulnerabilities within MS products pre and post their 2003 security push. Before 2003 their products were shamefully insecure. In 2003 they stopped all development for a month while the whole company underwent extensive security training, and re-vamped their development process. Since then their software has steadily hardened. I think the company gets a ton of flac now a days particularly for the bad taste it left in our mouthes in the early 2000's, but there's not much recognition of the solidness in their new offerings. I know it may be counter intuitive to say this on a thread discussing an MSN vulnerability, but seriously the vulnerability is pretty tame -- a link sent in a message.

IIS5 was a travesty, but IIS6 hasn't had a major vulnerability (it has had vulnerabilities like any software, but nothing widespread or critically dangerous). Here's an interesting comparison between IIS6 and Apache2, from Michael Howard -- http://blogs.msdn.com/michael_howard/archive/2004/ 10/15/242966.aspx

win2k server was an alright platform, but win2k3 has proven itself to be rock solid. Again it has had vulnerabilities like any product, but nowhere near the number or severity of previous offerings.

As an MS employee I can say that now security is a massive part of ever stage of planning, from the design of the architecture to the code itself. We go through countless threat analisys, at every milestone we have security check points with external teams (within MS) who specialize in security. Once we are ready to ship the code, it still has to be sent to the security team for a final review and only when they give permission can it be released. I doubt other companies go to these extremes to try to secure their software. MS still has a lot to prove, but I'm pretty confident the days of MS ignoring security for usability will be a distant memory in the next few years.

Re:Correction...

[ssj_195]

I have to say that much as I really dislike MS as a company (although some of their employees seem quite cool ;)), they've recently done very impressive work with security, especially with the advent of SP2. It's extremely hard to retro-fit security onto an old code-base that was not really designed with security in mind but they seem to have really pulled their socks up quite nicely, so I tip my hat to them :)

Re:Correction...

Once we are ready to ship the code, it still has to be sent to the security team for a final review and only when they give permission can it be released.

How can they review tens of millions of lines of code?

Re:Correction...

Oh yes. Decades and decades. When I was dropping my punch cards off, I was always made sure the guys at the lab had ensured their corporate IM solution was secure. They would always reply that they knew the sound of each other's voices pretty well, so I felt relatively safe.

Re:Correction...

[dioscaido]

You know we develop features in subgroups, right? :) It's still a lot of code, but the WSI team (windows security initiative) is pretty big, and the people assigned to your modlue are fairly familiar with the code by the time it is ready to ship, given that we've had security reviews with them during every milestone.

Re:Correction...

[imroy]

Could it be possible that widely used software is more likely to be targeted than those products with a small user base?

Well duh. Only stupid zealots would claim that popularity has *no* effect. Of course black-hats tend to target more popular software, that's only natural. Firefox has gained a lot of popularity very quickly and is still relatively young. So there's going to be a sudden surge in new vulnerabilities and other bugs. The question is wether this little surge turns out to be a short termed problem or if it's just the start of a 7+ year run of problems like IE has had. Many of us have reason to believe it'll be the former rather than the latter.

Re:Correction...

Because Slashdot is now chock-full of paid Microsoft shills as well as teenage kiddies who know nothing at all about computers (even though they like to think they do) but really they just naively believe all corporate PR.

Re:Correction...

[dustmite]

Did you ever use the 'talk' program in UNIX? IM software IS decades old; and in any case, the security principles for IM software are no different from any other TCP/IP client/server communications software, all these things have been well-established since the 70's. Learn your history before commenting.

Re:Correction...

[Keeper]

It is a troll because no security vulnerability is being exploited. The user gets an IM with a link to a file. The user then clicks on the link. If the user is running XP SP2, they get an additional warning that the link is unsafe and are they sure they really want to run it? Then they run it. The "file" then runs and sends itself as a link to everyone else in the contact list.

Re:Correction...

I could knock up a couple of scripts that, when installed by a stupid user, scrapes other talkable users from various readily available utils, uses the talk daemon to contact them, and encourages them to download and run my scripts. No "security principles" for "TCP/IP client/server communications software" will prevent stupid users from being socially engineered. Something like the Kelvir worm doesn't even need to run as root to spread.

But please, enlighten me - tell me all about these security principles for IM software - the ones that Microsoft has ignored - and explain to me how ignoring of those specific principles enabled the Kelvir worm. Or, conversely, you could stop acting like you know what you're talking about.

So, Mr "Learn your history before commenting", I hope you feel suitable stupid now. You certainly look it.

Re:Correction...

[dustmite]

Sure, social engineering applies here, not technical vulnerabilities, but your straw-man has absolutely nothing to do with the point: The person I was responding to (you?) WRONGLY claimed that IM is not decades old (feeling foolish perhaps?). In fact I only brought up security because the person I was replying to had already implied that security was the issue ("corporate IM solution was secure", "feeling safe" etc.) Look, you were wrong, just admit it, don't try change the subject.

Re:Correction...

(sending a url that leads to a virus DOES NOT COUNT, as this is not the program itself spreading the virus but just a text link someone is stupid enough to click on)

If you had RTFA, you would have known that in this case the above is exactly what it was. So could you please elobarate about how "Microsoft Program"s facilitated this?

In other news...

[Spy+der+Mann]

people are exposed to the flu in winter. News at 11.

Why do people give Microsoft their money?

Seriously, Microsoft creates architectures with guaranteed downtime, yet people still buy their products? I think their current revenues are holdovers from their monopoly in the 1990s, and the slip in their earnings is indicative of real slowdown for them. As GNOME/KDE desktops mature, people will certainly have few reasons to spend their hard-earned money on Windows and Office. If they want to spend the money, then spend it on Mac OS X and get something better than Microsoft could ever produce.

Re:Why do people give Microsoft their money?

There is no alternative. Macs are heavily overpriced (and underpowered, in the case of servers), and Linux is not ready for the desktop, as anyone who has seen a secretary curse at the moronic KDE-interface will witness.

Re:Why do people give Microsoft their money?

I think you are wrong for many people out there. I happily use GNOME, OO.org, Firefox, etc. The only non-OSS app on my computer is Moneydance, but that was only $30. So, for $30 I got a Windows replacement. I certainly don't boot Windows often enough to justify the price of updating it, so it's stuck at Windows 98 (no XP or Longhorn in my future).

Re:Why do people give Microsoft their money?

[SunFan]

"As opposed to their monopoly in the 2000s?"

The Linux desktops are good enough to be called competition, now. Mac OS X certainly is good enough.

"And pay 3x more for the hardware to run it on."

It's not hard to get decent Apple hardware for under $1000. Speed isn't that big an issue. My computer at home is years old, and I really don't care too much.

Re:Why do people give Microsoft their money?

[DigiShaman]

Because Microsoft is a company people love to hate.

Humans. Such a strange creature.

Ever used IRC? Email?

[SaDan]

If you have used either IRC or email, then you have no reason to not "get it".

IM is just a faster version of email, and pretty much the same thing as IRC (with a dumbed down interface).

Others have stated the merits of asynchronous communication via IM (just like in email/IRC), and the ability to communicate with more than one party at the same time.

IM doesn't make sense for everyone (I don't use it at work, others do). Some people do not need or appreciate the positive aspects of IM.

Re:Microsoft Messenger?

[lachlan76]

I hate to tell you this, but MSN is one of the few Microsoft products which is good (in my opinion anyway...Visual Studio is the other that springs to mind).

B-B-But

[hoovernj]

[Typical Blogger]: But I thought Viruses and worms were like... Web 1.0 and all.

Re:Jabber anyone? (whiteboard)

[tabo_peru]

Apparently yes, with The Coccinella jabber client.

"Reuters Messenging"

Is "Messenging" a real word?

Re:"Reuters Messenging"

Perhaps not.
'Messaging' is a word, though.

Heh.

I am amazed you didn't get modded up. I guess you just weren't subtle enough. Anyway, ANY software on the corporate level will be targetted. Most of that software just happens to be closed source. However, as open source becomes more prevalent it will be targetted more often. There are already some exploits for Firefox; none of them are too threatening now, but give those scumbags some time.

Also, the facts in this story state that the virus only sent links to all the contacts. The people still had to manually download and execute something in order to become infected.

Re:Heh.

>The people still had to manually download

Well long live porn, I says.

Use Gaim

[RedLaggedTeut]

Well, why not use Gaim then.
It can handle both MSNmsnger and YIM.

"The One IM To Rule then all"

Re:Use Gaim

[vidarlo]

Well, why not use Gaim then. It can handle both MSNmsnger and YIM. "The One IM To Rule then all"

Why not use Jabber? Jabber can use gateways to reach other IM protocols. One of the better jabber-providers is jabber.org.uk. They have msn, aim, yahoo, icq and irc gw. Oh, and it is free software!

Re:Use Gaim

[petermgreen]

the trouble with gateways is they can be (and often are) ip blocked. With support in the client they either have to force update thier client (which isn't exactly great pr) or find a way to detect the difference between thier existing client and yours.

also i think the im nets consider the likes of gaim less threatening than the likes of jabber with gateways because gaim simply tries to make all nets equal whilst jabber with gateways allows you to contact the existing nets whilst pushing you towards using jabber itself.

crossing over

[betasam]

If this Virus (however smart or otherwise) can be sent across by email, then isn't it a threat for MSN/IM clients too (not just those who derive their IM servers from MS' software?) Or is this incident telling us that MS does not license out it's current MSN/IM s/w + security patches? (looks more like the case.) Time will definitely tell.

Stop writing Crap code

[PacketScan]

Take your time and get it right. Do leave things uncheck (buffer overflow) and certainly don't rush. rushing breeds mistakes.

Programming 101

[t_allardyce]

No, this is a wake up call to programmers (the snooze button has been pressed by Microsoft regularly for the last 20 years):

When transferring any kind of data from one computer/system/program to another, where the source cannot be guaranteed trustable (hint: always) the data should be assumed to be intentionally malformed, as a result the system should either:

a) limit what the input data can do eg: not be executed as binary or a privileged command, not be capable of overflowing anything (ignore extra long data) not be capable of doing anything that you wouldn't allow any random person to do.

b) warn the user every time new data is to be processed and require acknowledgement to continue.

(b) is the reason why your operating system can't install random software people send it without warning/asking you.

(a) is for documents, emails, messages, pictures, music etc.

This is a pretty fundamental computing rule, its pretty much exactly like the basic gun safety rules: always assume the gun is loaded. always keep it pointed somewhere you don't mind a bullet going. always keep it unloaded. So you really have to wonder about peoples competence..

Re:Programming 101

[Keeper]

This is a worm, not an exploit. It spreads itself by email or by sending a link to itself via IM. Users then click the link. The computer asks them what they want to do with the link.

None of your comments apply in this case.

Re:Programming 101

[DMUTPeregrine]

"Always assume the gun is loaded..." No. Assume nothing. The gun is loaded. Even if you check by sight and touch and see that there is no ammunition in the gun, the gun is loaded. ALL GUNS ARE ALWAYS LOADED. Until the gun is in pieces being cleaned, it is loaded. Orwell's 1984 introduced the concept of doublethink as a bad thing. This is not always the case. For proper gun safety doublethink to convince yourself totally that all guns are loaded is needed. These four rules, if followed explicitly, will guarantee firearms safety. Memorize them and heed them. Always! * All firearms are loaded. - There are no exceptions. Don't pretend that this is true. Know that it is and handle all firearms accordingly. Do not believe it when someone says: "It isn't loaded." * Never let the muzzle of a firearm point at anything you are not willing to destroy. - If you are not willing to see a bullet hole in it do not allow a firearm's muzzle to point at it. This includes things like your foot, the TV, the refrigerator, the dog, or anything else that would cause general upset if a hole appeared in it. * Keep your finger off the trigger unless your sights are on the target. - Danger abounds if you keep your finger on the trigger when you are not about to shoot. Speed is not gained by prematurely placing your finger on the trigger as bringing a firearm to bear on a target takes more time than it takes to move your finger to the trigger. Negligent discharges would be eliminated if this rule were followed 100% of the time. * Be sure of your target and what is behind it. - Never shoot at sounds or a target you cannot positively identify. Know what is in line with the target and what is behind it (bullets are designed to go through things). Be aware of your surroundings whether on a range, in the woods, or in a potentially lethal conflict. The fifth, unwritten, but implied rule is: Take nothing for granted. Check everything by sight and touch. Tragedies could be avoided if everyone involved with firearms followed these rules all the time. As an aid to memorization, especially by young people, my friend Duane Hufstedler has put the 4 Rules to verse. They can be sung to the tune of "The Battle Hymn of the Republic." A gun is always loaded--it's a weapon not a toy. Cover nothing with the muzzle you're not willing to destroy. Keep your finger off the trigger 'til the mark your sights are on. Be sure of your target and everything beyond.

Re:Programming 101

[DMUTPeregrine]

Oops. Lost the formatting.

"Always assume the gun is loaded..." No. Assume nothing. The gun is loaded. Even if you check by sight and touch and see that there is no ammunition in the gun, the gun is loaded. ALL GUNS ARE ALWAYS LOADED. Until the gun is in pieces being cleaned, it is loaded.

Orwell's 1984 introduced the concept of doublethink as a bad thing. This is not always the case. For proper gun safety doublethink to convince yourself totally that all guns are loaded is needed.

These four rules, if followed explicitly, will guarantee firearms safety. Memorize them and heed them. Always!

* All firearms are loaded. - There are no exceptions. Don't pretend that this is true. Know that it is and handle all firearms accordingly. Do not believe it when someone says: "It isn't loaded."
* Never let the muzzle of a firearm point at anything you are not willing to destroy. - If you are not willing to see a bullet hole in it do not allow a firearm's muzzle to point at it. This includes things like your foot, the TV, the refrigerator, the dog, or anything else that would cause general upset if a hole appeared in it.
* Keep your finger off the trigger unless your sights are on the target. - Danger abounds if you keep your finger on the trigger when you are not about to shoot. Speed is not gained by prematurely placing your finger on the trigger as bringing a firearm to bear on a target takes more time than it takes to move your finger to the trigger. Negligent discharges would be eliminated if this rule were followed 100% of the time.
* Be sure of your target and what is behind it. - Never shoot at sounds or a target you cannot positively identify. Know what is in line with the target and what is behind it (bullets are designed to go through things). Be aware of your surroundings whether on a range, in the woods, or in a potentially lethal conflict.

The fifth, unwritten, but implied rule is: Take nothing for granted. Check everything by sight and touch.

Tragedies could be avoided if everyone involved with firearms followed these rules all the time.

As an aid to memorization, especially by young people, my friend Duane Hufstedler has put the 4 Rules to verse. They can be sung to the tune of "The Battle Hymn of the Republic."

A gun is always loaded--it's a weapon not a toy.
Cover nothing with the muzzle you're not willing to destroy.
Keep your finger off the trigger 'til the mark your sights are on.
Be sure of your target and everything beyond.

Re:Programming 101

[t_allardyce]

In the US do you have to pass a test to show you understand safety to get a gun license?

Re:Programming 101

[olman]

Have a real life anecdote about this. Uncle of mine, a hunter with great many years of experience made a hole in a ceiling.

He always, always checked visually by pulling back the bolt that the breech was empty. And then he shot with the empty gun at the ceiling. Only this one time the bullet was not properly seated in the breech so he didn't see it when he pulled the bolt back. So he made a hole in the ceiling.

Moral of the story, this guy had 2-tier safety procedure and when step 1 failed, step 2 still stopped him from shooting his pet poodle while cleaning an "unloaded" gun.

Re:Programming 101

[varebel]

It varies from state to state. In my state of Virginia, you don't need a permit or pass any test to own a handgun or open carry. However, to carry concealed, you must obtain a permit which requires proof that you've passed a basic handgun safety course, as well as a criminal background check. Proceedures for obtaining a conceal carry permit vary by city.

For more info, check out http://www.packing.org./

Re:Programming 101

[t_allardyce]

And yet to drive you need weeks of training and a test which most people fail at least once. Next thing you'll be telling me theres no age limit and that felons can carry but not vote..

"Legitimate" traffic???

Oh please, these are corporate drones we're talking about. Their IM traffic is mostly comprised of discussions of the latest Paris Hilton photos, plans to finagle an extra sick day out of HR, and complaining about the latest Dilbertism from their boss/client/spouse.

I'm a corporate drone, so I know.

Motorola

[akira69]

Funny thing is, this exact thing happened to me at Motorola. There was a message that popped up from 3-4 people on my contact list saying "click here for a picture of you I took." kinda weird, so I didn't click it. Everyone else in the office did though. Stupid! Viruses and spyware abound upon clicking.

Re:Microsoft Messenger?

Somebody actually CHOOSES to use Microsoft Messenger technology?

I know this is Slashdot and all, but I actually think the new messenger 7 is the best IM. I've almost stopped using Skype since they improved the audio/video, and far more contacts have MSN.

Sure, it has a lot of bells and whistles, but they can be fun too (or turned off).

Better yet...

[dark-br]

Slashdot: News for the amnesiac, stuff that mattered.

When it's not old news it's dup right? :)

Re:I just love it

[Phil06]

Go ahead, base your security scheme using the who-is-the-most-cool-therefore-least-likely-to-be- cracked method. Open source isn't cracked because it is not cool to do so. It is cool to bash 'the man'. MS is 'the man' so the more you bash/attack/crack it, the more cool you are.

Think Different!

[Chris+Tucker]

This is the traditional post stating that the Mac is OS is superior because it is unaffected by Windows viri.

Also included in the traditional post is a gratuitous slam against Windows users: "Windows users are poopieheads for using Windows!"

Finishing up with a "In Soviet Russia..." joke

In Soviet Russia, you infect Reuters!

It has been my pleasure to provide the Slashdot Community with the traditional posting making fun of the Windows OS and WIndows Users, contrasting the Windows OS with the Mac OS, in a snarky, oh, so superior and ultimately uninformative manner, in a comment thread about yet another flaw/fault/sploit in the Windows OS.

Thank you for your kind attention!

P.S. if you use Linux or any of the UNIX variants, please substitute the name of your OS for Mac OS in the above posting, the better to observe the Slashdot traditions we so revere.

Why IM

[jgoemat]

I use it at work all the time. We have one employee that works out of state and another that works from home 1-2 days a week.

• It's faster to use than phone and email - making a phone call or sending an email takes more time than typing an IM. If you don't want to save your conversation, deleting the emails is even more of a bother and takes more time since you have to open and delete each message, where you only have to close the chat window to get rid of your IM converstaion. If you want to keep it, just save it or copy/paste parts.
  
• Faster delivery - if they want to appear online, you can send a message and know they got it. With email they may not check again until after lunch and with Phone you may not get an answer and have to leave a voicemail.
  
• Functionality of email - you get to type in text and send files. It's easier to click on a link you paste into IM than to try and tell someone over the phone where to go.
  
• Interactivity of phone - You actually have a conversation with IM, there's the give and take of a telephone conversation. You don't have to wait long for your responses like you would with email.
  

Re:Microsoft Messenger?

[tiks]

no i dont think so but microsoft runs it anyways, in fact, there is no way simple to turn it off. Actually they have tied it with most ms internet programs, so every time you start Outlook express it automaticly starts messanger. with messenger running in background all the time & longhorn's black box technology imagine the possibilities!!!

Precisely

[SilverspurG]

This is precisely why I stay away from P2P software and use bitlbee for my IM handling.

I simply do not trust that the corporate authors of these infinitely connected clients are also exhaustively pedantic about fireproofing their code. As real truth would have it, OSS clients have historically been more resilient than their commercial counterparts.

The tin foil side of me thinks that the corporations actually like having security holes in their clients. <conjecture> The head of the MS Messenger department has this brother who married this girl whose younger brother owns stock in this company which specializes in "desktop advertising". </conjecture> Not saying that it was on purpose, but somehow that project absolutely had to be shipped by $DATE, even though the security audit wasn't quite complete. Coincidence? Probably.

Re:Precisely

Look, you don't just start reposting until someone notices you... christ...

Outlook?

Or LookOut! Express?

That is somewhat hard to remove under XP (SP2), if at all possible.
I've tried quite a bit of hacking, but shortly after it's gone, it is 'magically' restored. I thought it was Clippy at first, but he was first against the wall...

Anyone know how to remove outlook?

(yes, 'use linux' someone is bound to say)

Visual Studio

We used to use VS at work, and ended up having to use a third party memory mapping tool to find some memory leaks our system acquired. Turns out that:
a) VS couldn't find the leaks itself,
b) VS had put the leak in due to a bug in VS itself.

Anyone know if that has been fixed yet?

This isn't intentioned as an MS bash, in fact the company I worked for was a "certified microsoft solution provider".

Re:Visual Studio

uh, since when Microsoft provides solutions? To me it seems it only provides a lot of problems :P

Re:Visual Studio

Yes, that's what I thought... I don't work for them anymore.

Yeah, we'll it *is* about IM's and closed source

[Jugalator]

Francis deSouza, chief executive of computer security provider IMLogic, said 'It just generated a flood of instant messages, so it suddenly slowed down the network for legitimate traffic. This is certainly a wake-up call, IM is just like any other communication media. The media needs to go hand in hand with security.'

Yes, and a good start is to not use closed source solutions where few people can give input to security issues. Yes, a pretty much default comment on Slashdot, but reallly... Using MSN Messenger is like handing your postal mail to a person where it's secret to you how the mail is delivered and all you know is "well, it'll get through". Would you do that too? It's surprising how common it is to use closed source solution in security critical systems like instant messengers, e-mail applications, web browsers, and so on.

MSN Messenger Security

[Fungus+King]

They've at least made attempts to stop the spread of viruses in MSN... However, I don't think they've done a great job.

I've tried sending .oggs to some friends over MSN and yet it blocks them... so much for security, it just seems to be more of an annoyance. Perhaps they could try patching whatever exploit the trojans use in the program itself...

download

[ellingswin]

somewhere i can download these viruses?

Removal

[majest!k]

Incase anyone needs help getting rid of W32.Kelvir, heres Symantec's free removal tool

Be sure to run a few safe-mode virus scans as well with NAV/KAV/AVG/whatever you use :)

happy huntin'

Why don't they use aMSN ...

[lord_rob+the+only+on]

... or another "unofficial" msn messenger client ? They are not compatible with all that virii crap ...

this is fucking hilarious

[Edmund+Blackadder]

We are talking about text messaging here. I mean how hard it is to send a line of text securely. There should be no security concerns whatsoever.

Re:this is fucking hilarious

[Yaro]

Except... You're forgetting about the MS policy of doing things "friendly". Just get a pick at that new version of MSN, it's completely bloated with all sort of fancy features. This thing even scares me, tbh. :)

Re:this is fucking hilarious

[SunFan]

Well, given Microsoft already mastered unsecuring HTML, the next challenge, obviously, is plain text.

Re:this is fucking hilarious

[xander2032]

It's not Microsoft's fault. It's the user's fault. You actually have to click on the link, download the virus and run it. How can you blame Microsoft for that?

It's not their fault people are idiots. You can't protect people from their own stupidity.

I mean, how many times do we have to tell people to not click on links, download crap, and run it??

Re:this is fucking hilarious

[SunFan]

How can you blame Microsoft for that?

Making data executable out of convenience. Leaving their software completely full of exploitable buffers. Not displaying warning messages. Having no useful firewall for nearly a decade. Trying to integrate everything and the kitchen sink regardless of utility. Providing ActiveX. Promoting web standards that work against sysadmins' security efforts. Hiding bugs because they can. Avoiding making a compartmentalized multi-user system until the last moment.

I guess that's a start.

Re:this is fucking hilarious

In this case, the line of test was sent just fine and it consisted of a link to an executable. Like most computer users who see a message from a friend/coworker, they click the link which runs the executable and sends a line text....

IM system works perfectly, no security breachs here.

Re:Microsoft Messenger?

[PatHMV]

That was more or less my point, but obviously today's moderators didn't think it very funny... And of course Microsoft has given similar names to 2 different pieces of technology, Windows Messenger and MS Messenger. I assume the article is right that Reuters was using the MS (Instant) Messenger software.

Lots of IM warnings

[poppycock]

There have been lots of IM warnings in the pastjust look at CERT> warnings for a sense of how pervasive this threat is.

It's = it is

[georgiabiker]

Good lord, have we no editors left in the world who cherish the delicate distinction between its (possessive) and it's (it is)?! I am ashamed on behalf of civilized humans everywhere.

Use Gaim with Jabber (and YIM and AIM and MSN)

[Admiral+Burrito]

Jabber is a protocol. Gaim is a multi-protocol client. Gaim works well with Jabber networks (and YIM and AIM and MSN). Miranda IM does too, though it is Win32 only. Both are FOSS. Both are completely ad-free. People should use them, even if they never use Jabber.

It is generally better to use a multi-protocol client than Jabber gateways. The gateways tend to be feature-weak, for example most don't support file transfers or group chat.

By the way, if you do use the Jabber gateways (which is the only option if you are in love with some Jabber-only client), keep in mind that you aren't restricted to the ones available on the server you connect to. Many of the open Jabber servers allow their gateways to be used by any Jabber client anywhere on the network. The downside is that it is one more server that can go down when you're trying to message someone.

Jabber is a very good protocol. The ability to choose a server (and even set up your own) introduces a level of freedom that doesn't exist within Yahoo/AOL/MS-owned networks. The gateways are cool too.

Precisely

[SilverspurG]

This is precisely why I stay away from P2P software and use bitlbee for my IM handling.

I simply do not trust that the corporate authors of these infinitely connected clients are also exhaustively pedantic about fireproofing their code. As real truth would have it, OSS clients have historically been more resilient than their commercial counterparts.

The tin foil side of me thinks that the corporations actually like having security holes in their clients. <conjecture> The head of the MS Messenger department has this brother who married this girl whose younger brother owns stock in this company which specializes in "desktop advertising". </conjecture> Not saying that it was on purpose, but somehow that project absolutely had to be shipped by $DATE, even though the security audit wasn't quite complete. Coincidence? Probably.

(NOTE: This is a repost because there are crack-whore trolls with mod points that modded the first one flamebait and the second one redundant... WTF? Hey trolls... QUIT STALKING ME!)

apostrophe

holy living FUCK you DUMBASSES this is the second post today where you have written "IT'S" as possessive. do any of you actually know how to read and write english? how can you be so STUPID?!

I tried running the virus

[Vrejakti]

After following the instruction I received in my IM Window, I downloaded the virus, and tried to run it. It wouldn't open!

I decided to look at the source code with the command "LAN358102:~ haxor$ cat myprofile\@hotmail.com | head"

Result: MZP???@?? ?!?L?!??This program must be run under Win32 $7PELv?A?

*sigh* When will virus writers start to consider people who use other platforms?

Re:I tried running the virus

You need this: http://www.winehq.org/

Jabber

[RC_Car]

Jabber anyone?

... or is that not an option?

Think Different!

This is the traditional post stating that the Linux OS is superior because it is unaffected by Windows viri.

Also included in the traditional post is a gratuitous slam against Windows users: "Windows users are poopieheads for using Windows!"

Finishing up with a "In Soviet Russia..." joke

In Soviet Russia, you infect Reuters!

It has been my pleasure to provide the Slashdot Community with the traditional posting making fun of the Windows OS and WIndows Users, contrasting the Windows OS with the Mac OS, in a snarky, oh, so superior and ultimately uninformative manner, in a comment thread about yet another flaw/fault/sploit in the Windows OS.

Thank you for your kind attention!

P.S. if you use BSD or any of the UNIX variants, please substitute the name of your OS for Linux in the above posting, the better to observe the Slashdot traditions we so revere.

Reinventing it badly and replaced by SMS

[dbIII]

IT departments should think carefully before banning IM programs across the board.

Not that many people out there have heard of the old *nix "talk" program for good reason - people found that getting messages at anytime from anybody was an annoying distraction so it fell into disuse - the same with the "winpop" idea. Instant messaging has been around for a long time - and the biggest "security" hassle has been to stop people sending you messages for no paticularly good reason. One of the greatest benifits of email is that is has a short lag - you can ignore an email for two minutes. Instant messaging really has been superceded by SMS in every case but those where people are sitting in front of their screen at known time - in which case telephones work faster and email works almost as quickly as IM even after going through virus scanning. Opening the firewall to let in instant messages from outside lets in a variety of nastyness in addition to anoying messages from who knows where (is there some sort of broadcast bug/horrible_feature built in?).

As for "reinventing it badly" - the MS messaging client consumes a suprising amount of resources, and usually older laptops increase visibly in speed after it has been removed.

I haven't banned IM - I just stop it from talking to the outside world, or between subnets.

Apache vs IIS: The Facts

[I'm+Don+Giovanni]

We have one key data point which is that its' web server technology gets hacked more than say, Apache. It's important since Apache is as big as MS in that, neutralizing partly the size issue (al beit Apache is less homgenous than MS server so it's not perfect)

Since 2003, IIS 6.0 has had exactly 3 security adviseries verses Apache's 22 in the same time period:
IIS6 adviseries http://secunia.com/product/1438/
Apache 2.0 adviseries: http://secunia.com/product/73/

So, what "data point" are you talking about?

Re:Apache vs IIS: The Facts

Too bad you did not actually read the web pages you pointed to. If you had you would have learned that none of those 22 Apache holes was ranked a critical vulnerability. and that 91% of them were patched. In the cas of MS the vulernabilites were ranked critical and a third of them are still outstanding. It's well known that apache reports all their bugs whereas MS only reporst them reluctantly.

Why don't they...

[Your+Average+Joe]

Why don't they sue Microsoft? I am sure this security hole is something that Microsoft could have fixed long ago if they had not outsoced the development to people in India that to not understand security or how to write a stable software product.

When will Microsoft pay for these blunders?

In case you missed the article...

[Trejkaz]

In case you missed the article, this article is about a corporate IM service, not MSN Messenger.

In other words, they saw the risks in using public IM, decided they would buy a corporate IM system, and then made an extremely poor decision by buying Microsoft's corporate IM service.

And why was it a poor decision? Because it uses the same insecure client which people use on the public IM service. :-)

Hunt and Peck...

[Your+Average+Joe]

You go a head and hunt and peck on a cell phone. While I work for competitor X and just call my sales associate and verbally relay the same info in 10 seconds.

Lets see if you try that on the Apprentice and see if Donald doesn't fire you...

You hunt and peck your best, but most of your colleges say you are the best pecker head.

No-brainer: Transports

[Trejkaz]

About 40% of my contacts aren't on Jabber yet, but that doesn't seem to stop me talking to them via the Jabber protocol. Hell, I can chat on IRC servers via the Jabber protocol. Why would anyone need to use the native ones anymore? :-)

Ass clown, I am trying to sleep...

[Your+Average+Joe]

I am trying to sleep, quit IMing me. If you want to get my feedback send me email. How about I call you collect at 3:00 AM? You find that funny?

blame Microsoft for this one.

[Your+Average+Joe]

With the Mac OS you have to supply your credentials to get that crummy EXE to run as ROOT. So with the Mac the user would have had a second change to redeem his soul.

Netmeeting is not "blocked from running on XP"

[Kagami001]

It's included with XP.
It's "hidden" only in the sense that there's no shortcut to it (i.e. like regedit).
Run the command "conf" to run Netmeeting.

this is Microsoft and is related to underwear

[Your+Average+Joe]

Do you think if Bill Gates got laid in high school, do you think there'd be a Microsoft?

Of course not.

You got to spend a long time in your own locker with your underwear shoved up your ass before you start to think,

"You'll see. I'm going to take of the world of computers! I'll show them."

Re:ANY software on the corporate level...

[Your+Average+Joe]

What about Apache, more sites run it than IIS???

Re:I just love it

Dr. Phil, is that you?!?

Precisely

[SilverspurG]

This is precisely why I stay away from P2P software and use bitlbee for my IM handling.

I simply do not trust that the corporate authors of these infinitely connected clients are also exhaustively pedantic about fireproofing their code. As real truth would have it, OSS clients have historically been more resilient than their commercial counterparts.

The tin foil side of me thinks that the corporations actually like having security holes in their clients. <conjecture> The head of the MS Messenger department has this brother who married this girl whose younger brother owns stock in this company which specializes in "desktop advertising". </conjecture> Not saying that it was on purpose, but somehow that project absolutely had to be shipped by $DATE, even though the security audit wasn't quite complete. Coincidence? Probably.

(NOTE: This is a repost because there are crack-whore trolls with mod points that modded the first one flamebait, the second one redundant, and the third one finally received some semblance of a human response... WTF? Hey mod-trolls... QUIT STALKING ME!)