Microsoft: Upgrade Messenger or else

Computerworld - Microsoft will force an upgrade on users of its Windows Live Messenger instant messaging software in September to plug a hole the company introduced when a programmer added an extra character to a code library.

Starting in mid-September, users of Messenger 8.1 and 8.5 will be required to upgrade to Messenger 14.0.8089 if they want to use Microsoft's instant messaging service, the company announced in a blog posted last Thursday.

Optional upgrade offers have already started reaching Messenger 8.1 and 8.5 users, Microsoft said.

The timeline for people running a build of Messenger 14 is different. Mandatory upgrades to Messenger 14.0.8089 will begin in late October, while upgrade offers will be sent at the beginning of that month.

"It will take several weeks for the upgrade process to be completed, as the upgrade will be rolled out to customers over the course of several weeks," Microsoft said.

Microsoft also encouraged users to proactively upgrade by manually downloading the newest version of Messenger from the service's site.

Although Messenger 14 includes several new features and a revamped interface, Microsoft's making the upgrade mandatory because of a flaw inherited from a buggy Microsoft code "library" -- Active Template Library, or ATL -- used by programmers in the IM client's development.

In late July, Microsoft acknowledged that the vulnerability introduced in software crafted using ATL was due to a one-character typo: an extra "&" symbol to be exact.

On July 28, Microsoft issued a pair of emergency patches to crush the ATL bug in Internet Explorer and Visual Studio, the company's popular development platform. On Aug. 11, as part of its regularly-scheduled monthly security update, Microsoft patched five more ATL flaws in several company-made components.

Windows Live Messenger was not among the programs named in MS09-037, the accompanying security bulletin, however. Previously, Microsoft said it might take months for it to go through the code of all its software to determine which was affected by the ATL bug.

Last week, Microsoft revised the security advisory for the ATL vulnerabilities to add a section on Messenger. In the alert's FAQ, the company made clear that the upgrade was mandatory. "If you do not accept the upgrade, you may not be allowed access to Windows Live Messenger service," the advisory read.

The Messenger upgrade will not be pushed to users via Windows Update, the normal patch distribution service. "Microsoft currently issues upgrades for the Windows Live Messenger client using the Windows Live Messenger service because these online services have their own client deployment mechanism," Microsoft said. Nor will users running any version of Windows older than XP be required to upgrade. Unless they upgrade on their own, those people will continue using the vulnerable software.

Mandatory Messenger upgrades are nothing new. Nearly two years ago, Microsoft did the same thing -- again because of a security vulnerability -- when it forced users to update to Windows Live Messenger 8.1.

But some users reacting to last week's announcement took the opportunity to knock the upgrade. "So now you're forcing us to upgrade to something that's horribly broken?" said a user identified as "hemingray" in a comment to the blog. "No thanks. I'll always use 8.5, don't care what frigging exploits it has."

"I have stayed with 8.5 to retain sharing folders, which I rely upon," added someone labeled "Sam Toucan" in the same comment thread. "Put sharing folders in and I'll be happy. Else, leave me be with 8.5!"

Read more about security in Computerworld's Security Knowledge Center.