Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

FUDBuster: Microsoft Forces Messenger Upgrade--Six Months Later

Read On

FUDBust: Perhaps in the land of teenage hipsters, who prefer text to touch, Microsoft's actions were both speedy and conclusive. In our minds, the trajectory of this full product upgrade illustrates the bad karma that ensues when software vendors and white hat "research" firms cooperate. Microsoft and its partner in crime, Core Security Technologies, are pointing fingers at each other. Microsoft claims Core released a proof-of-concept that spawned an actual exploit. The exploit forced Microsoft to issue a mandatory upgrade--and kick nonupgraded clients off the Messenger chat network. Core doesn't deny these facts, but notes that it uncovered the vulnerability back on Aug. 23, then waited until Microsoft published a fix on Feb. 8 before releasing its own advisory and "test" exploit.

Even if Core's actions were questionable, the dunce hat still belongs on Microsoft's head. Why did it take a software giant six months to address a potential threat? And why didn't it avoid a mandatory and chaotic full product upgrade by designing Messenger to accommodate modular patches?