Microsoft is putting the final touches on a patch to limit an MSN Messenger feature that allowed any Web site to grab a visitor's IM nickname and buddy list.
While representatives for the Microsoft Network have said no customers have fallen prey to the potential privacy problem, the group plans to release early next week an updated version of MSN Messenger that fixes the problem.
"In order to implement the fix, customers will have to upgrade to the next version of MSN messenger," a representative for the software titan said on Friday.
The issue occurs because Microsoft designed MSN Messenger to allow JavaScript contained in Web pages to access a customer's buddy list and, for certain Microsoft sites, the e-mail addresses of the person.
Software engineer Richard Burton highlighted the privacy implications of the feature in a post to SecurityFocus' BugTraq mailing list recently.
"It appears to have been intended as a feature so they could put in nice customizations on their Web sites," said the U.K.-based programmer on Friday. "I only raised it as a potential, so I don't think people need to panic."
The ill-conceived feature comes at a poor time for the software giant. Last month, Chairman Bill Gates wrote a companywide memo spurring employees to make security and privacy their top priorities.
"So now, when we face a choice between adding features and resolving security issues, we need to choose security," Gates wrote. Calling the initiative "Trustworthy Computing," the founder of Microsoft kicked off extensive code reviews to catch potential problems in the company's flagship software.
Coming two weeks after the memo, the current slipup spotlights the sheer amount of work that Microsoft needs to accomplish to make its software trustworthy.
A little more than a week ago, gamers had problems connecting to the Microsoft Network owing to a glitch with the company's Passport log-in service. In August, Microsoft patched a hole in Hotmail that could allow a person's e-mail to be read by others.
But the current problem is considered more of a privacy hiccup than a major problem, the Microsoft representative said.
After Microsoft releases the fixed version, MSN Messenger users will receive notification when they start up the application that the new software is ready for download.
"The level of risk is considered low," the Microsoft representative said.
Burton agreed. "I wouldn't say it is as serious as people have taken it," he said. "I don't think it is being actively exploited."
Join the conversation
Comment replyThe posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
George Lucas has just released his version of "Star Wars" in 3D, but c'mon--the guy believes Greedo shot first. Why not make your own Star Wars world? In the first installment of a Crave series, a crack team of crafters fight the power and turn paper bags into the Rebel Alliance's Admiral Ackbar. It's a sack!
Join the conversation