Time to address IM security threat
Time to address IM security threat
Feb 21, 2005: A recent security flaw in MSN Messenger shows that instant messaging (IM) poses a serious security threat and should act as a prompt to enterprises to take action now in implementing a comprehensive IM policy.
The warning was issued by Gartner following the MSN Messenger vulnerability which caused Microsoft to restrict access to its MSN Messenger IM service to prevent the spread of the security-flaw exploit.
Microsoft locked out any users not running the latest versions of the MSN Messenger and Windows Messengers clients after proof of concept of a vulnerability was posted on the Internet, as older versions of MSN Messenger and Windows Messenger do not properly handle corrupted image files. By exploiting this vulnerability, an attacker could take control of an affected system.
"The MSN Messenger exploit highlights the risks of not establishing and implementing an enterprise IM policy. The MSN Messenger client - like those for Yahoo! Messenger, AOL Instant Messenger and other IM services - is available for download free of charge. As a result, IM is so widely used that most enterprises have no idea how many IM clients are installed on their systems or how much IM traffic passes over their networks," said Gartner analyst Lawrence Orans.
While the move by Microsoft was effective in this instance, Orans said a future outbreak may not be contained so successfully.
"Microsoft acted quickly to control this malicious-code outbreak by denying access to clients that were not up-to-date. However, the next time an IM exploit emerges, Microsoft or another IM provider may not be able to respond as quickly or as effectively. Enterprises must take responsibility for ensuring that the use of IM does not compromise their security. If necessary, they must be able to temporarily shut it down when a serious security threat emerges."
Gartner advises that the popularity of IM is rapidly making it unrealistic to block IM traffic entirely. In many enterprises, one or more business units can make a compelling case for the need to use IM.
It considers that enterprises have three options: Implement an enterprise IM solution; deploy a solution that makes it possible to build policies around public IM services; or do both.
Related Article: