QUOTE
Windows Live Messenger mandatory upgrade will patch development code vulnerability
By Gregg Keizer
August 31, 2009 03:45 PM ET
Computerworld - Microsoft will force an upgrade on users of its Windows Live Messenger instant messaging software in September to plug a hole the company introduced when a programmer added an extra character to a code library.
Starting in mid-September, users of Messenger 8.1 and 8.5 will be required to upgrade to Messenger 14.0.8089 if they want to use Microsoft's instant messaging service, the company announced in a blog posted last Thursday.
Optional upgrade offers have already started reaching Messenger 8.1 and 8.5 users, Microsoft said.
The timeline for people running a build of Messenger 14 is different. Mandatory upgrades to Messenger 14.0.8089 will begin in late October, while upgrade offers will be sent at the beginning of that month.
"It will take several weeks for the upgrade process to be completed, as the upgrade will be rolled out to customers over the course of several weeks," Microsoft said.
Microsoft also encouraged users to proactively upgrade by manually downloading the newest version of Messenger from the service's site.
Although Messenger 14 includes several new features and a revamped interface, Microsoft's making the upgrade mandatory because of a flaw inherited from a buggy Microsoft code "library" -- Active Template Library, or ATL -- used by programmers in the IM client's development.
In late July, Microsoft acknowledged that the vulnerability introduced in software crafted using ATL was due to a one-character typo: an extra "&" symbol to be exact.
On July 28, Microsoft issued a pair of emergency patches to crush the ATL bug in Internet Explorer and Visual Studio, the company's popular development platform. On Aug. 11, as part of its regularly-scheduled monthly security update, Microsoft patched five more ATL flaws in several company-made components.
By Gregg Keizer
August 31, 2009 03:45 PM ET
Computerworld - Microsoft will force an upgrade on users of its Windows Live Messenger instant messaging software in September to plug a hole the company introduced when a programmer added an extra character to a code library.
Starting in mid-September, users of Messenger 8.1 and 8.5 will be required to upgrade to Messenger 14.0.8089 if they want to use Microsoft's instant messaging service, the company announced in a blog posted last Thursday.
Optional upgrade offers have already started reaching Messenger 8.1 and 8.5 users, Microsoft said.
The timeline for people running a build of Messenger 14 is different. Mandatory upgrades to Messenger 14.0.8089 will begin in late October, while upgrade offers will be sent at the beginning of that month.
"It will take several weeks for the upgrade process to be completed, as the upgrade will be rolled out to customers over the course of several weeks," Microsoft said.
Microsoft also encouraged users to proactively upgrade by manually downloading the newest version of Messenger from the service's site.
Although Messenger 14 includes several new features and a revamped interface, Microsoft's making the upgrade mandatory because of a flaw inherited from a buggy Microsoft code "library" -- Active Template Library, or ATL -- used by programmers in the IM client's development.
In late July, Microsoft acknowledged that the vulnerability introduced in software crafted using ATL was due to a one-character typo: an extra "&" symbol to be exact.
On July 28, Microsoft issued a pair of emergency patches to crush the ATL bug in Internet Explorer and Visual Studio, the company's popular development platform. On Aug. 11, as part of its regularly-scheduled monthly security update, Microsoft patched five more ATL flaws in several company-made components.
Continued
http://www.computerworld.com/s/article/913...e?taxonomyId=89