Sunday, August 24, 2003

MS IM Upgrade?

The e-mail says it's a security upgrade. Authors for MS-compatible IM's say it's a measure to cut non-MS IM's off from the service. Given past practices, my opinion leans towards the latter. Unfortunately, MS never learns. "Adjust" the protocol and it will cut "outsiders" off in the short run. In the long run, the "outsiders" will adapt and learn how to get back in.

Another thing they're not thinking of is that if they switch out code, they risk more vulnerabilities (i.e., a whole new slew of expoits!).

Mark your calendars. I have asked Microsoft's .Net Messenger Service (the ones who sent me the e-mail to upgrade) what vulnerability the upgrade fixes. Just as in two previous cases (one question, one vulnerability report), I'm not holding my breath.

BTW, that vulnerability still exists, two years later. I did get a reply from them concerning the vulnerability. They claimed it was a non-issue because if I used MS DNS, the problem with their Exchange server cluster would not exist. I couldn't get it into their heads that the DNS local to the Exchange server was MS but that neither was the equipment mine (our shop used 99% *nix) nor was the DNS record causing the problem local.

And coworkers wonder why I have a low opinion of publicly available MS servers.