Windows Live / MSN Messenger to force security upgrade

Anand, a Security PM for Windows Live Messenger, posted tonight on the Inside Windows Live Messenger blog that rolling out in the next few weeks, if you haven’t already upgraded your Messenger to at least 8.1 (the current version released version), you will soon be forced to do so.


According to Anand:

We will soon configure the service such that any user on Windows XP or later system has to use Windows Live Messenger 8.1. When a user using an older version of Messenger tries to login, the client will help the user with a mandatory upgrade to Messenger 8.1.

Some of you might feel this inconvenient, but in order to protect you and protect the health of the network we have chosen to take this step

And like it or not, the “health of the network” is a pretty valid reason for taking this extra step.  It all boils down to Security Bulletin MS07-054, “Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)”.  This vulnerability, which has been fixed in 8.1 and the beta version 8.5 “could allow remote code execution when a user accepts a webcam or video chat invitation from an attacker. An attacker who successfully exploited this vulnerability could take complete control of the affected system.”

Whatever users out there who are still using Windows 98 or 2000 are vulnerable as well, and for those systems a newer version of MSN Messenger 7 was released today. Available now, the MSN Messenger 7 upgrade will be forced as well, once the Windows Live Messenger upgrades have completed