posted by Anand

Hi, I’m Anand, the security PM for Windows Live Messenger.

If you are using a Windows XP or later system, then there is no reason why you shouldn’t be using the latest and greatest released version of Messenger. Messenger 8.1 was released earlier this year. It the most stable and reliable version of Messenger. It also has the latest security updates.

There is a security vulnerability in the earlier versions – MSN Messenger 6.2, 7.0 and 7.5 and Windows Live Messenger 8.0. This is discussed in the security bulletin MS07-054. However, this security vulnerability doesn’t affect Windows Live Messenger 8.1. There, I gave you another reason to upgrade to Messenger 8.1.

Unfortunately, not all of our users read this blog and so we have found another way to make sure that they protect themselves by using Messenger 8.1. Some of you might remember that upon logging in to Messenger you occasionally get toasts recommending an upgrade. Well, with this new security issue gone public, we need to raise it up a notch in order to protect the users.

We will soon configure the service such that any user on Windows XP or later system has to use Windows Live Messenger 8.1. When a user using an older version of Messenger tries to login, the client will help the user with a mandatory upgrade to Messenger 8.1.

Some of you might feel this inconvenient, but in order to protect you and protect the health of the network we have chosen to take this step.

Do users have to upgrade?

Yes, once a user has been given a mandatory upgrade notice, they will have to install Windows Live Messenger 8.1. Most users have been given an optional upgrade notice since January 2007. 

I am not seeing a mandatory upgrade right now and I am running a bad version of the client, why?

The Messenger network uses a rolling upgrade mechanism across the network. It will take several days to get a mandatory upgrade and new bits to all users.

What can users do now to protect themselves sooner?

Users running Windows Live Messenger 8.1 do not need to take action. Users running earlier versions of Messenger should visit and install Windows Live Messenger 8.1.

I use Windows 2000. How can I protect myself?

Because Windows 2000 isn’t supported by Windows Live Messenger 8.1, we will provide an updated version of MSN Messenger 7.0. We will upgrade Windows 2000 users to the updated version of MSN Messenger 7.0 after the Windows Live Messenger upgrades.

Till then, as a precautionary measure, don’t accept a webcam or a video call invitation from a contact that you don’t trust.

If I’m running the new Windows Live Messenger 8.5 beta, am I protected?

Yes. Messenger 8.5 beta users are not affected by this vulnerability.


If you have a comment on this post please comment! For other questions/concerns/discussion topics/rants/raves/etc – please head over to the Windows Live Messenger Newsgroup.