MSN Messenger Security Hole Found

UPDATE: A newly discovered security bug in MSN Messenger and Windows XP’s Windows Messenger that can make available a user’s personal information to malicious Web site owners is in the process of being killed by Microsoft Corp. .

A Microsoft spokesperson said in an interview that the company will issue a patch to fix the bug sometime “early this week. Users of MSN Messenger and Windows Messenger who want to protect themselves in the meantime can go to this Web page for additional information.

The spokesperson also said Microsoft has not received any reports of customers being exploited by the hole.

In a posting last week to SecurityFocus’ BugTraq e-mail list, programmer Richard Burton said that the display name of a person using these programs can be obtained by a Web site that uses JavaScript. “For users who have a sensible and accurate display name, this should be considered a privacy issue,” although people not using display names will have their e-mail addresses revealed, Burton wrote.

A list of the user’s contacts can be obtained by using the hole, he also said.

Web sites hosted on some domains, like, and, can also use the same technique to access the e-mail address of the user, along with the e-mail addresses of all their contacts, Burton said. “This could be used by Microsoft to track users on their sites, which many would consider to be a privacy issue.”

Other domains can be allowed access to a user’s e-mail addresses with a single registry entry, he also said. The entry could be made by installed spyware/adware, which sometimes occurs without a user’s knowledge via the execution of a copy of shareware. “Once there you have the potential to give your e-mail address to any site that requests it and places it in a cookie,” Burton wrote.

On his Web site, Burton is quick to point out that the risks aren’t that great, because many people don’t set accurate display names, and employing the exploit is not easy to do.

Burton added that he has set up a simple demonstration of the problem. When MSN Messenger is open, the demo will show a user’s name and the names of all of her contacts. If the registry entry given is used, it will also show your e-mail address and the addresses of all your contacts.

The news of the security bug comes just weeks after Microsoft announced a new focus on security, as company Chairman and Chief Software Architect Bill Gates told employees that they must now make security in Microsoft’s products their first priority.

Microsoft even went as far as hiring an outside security expert to help implement that goal. The company brought on Scott Charney, a principal for PricewaterhouseCoopers’ Cybercrime Prevention and Response Practice, to serve as the company’s chief security strategist, replacing Howard Schmidt, who left the company after he was tapped by the Bush administration as electronic security advisor.

Charney has been charged with developing strategies to enhance the security of Microsoft’s products, services and infrastructures.

Bob Woods is the managing editor of

News Around the Web