Last Friday, Microsoft forced its millions of MSN Messenger users to download a new version of the software to plug a security vulnerability. The mandatory upgrade began after a security company posted information that would help a would-be attacker exploit the vulnerability. MSN Messenger users were then greeted with a notice to upgrade before they could open their instant messaging clients.
Analyst firm Gartner commended Microsoft for acting so quickly to control the problem by locking out vulnerable clients but it warned that future threats may not be so easily dealt with and enterprises may have to take the matter into their own hands.
"Next time an IM exploit emerges, Microsoft or another IM provider may not be able to respond as quickly or as effectively. Enterprises must take responsibility for ensuring that the use of IM does not compromise their security. If necessary, they must be able to temporarily shut it down when a serious security threat emerges," said Gartner analyst Lawrence Orans in an advisory.
Foad Fadaghi, senior industry analyst at Frost & Sullivan Australia, said that although some companies have set up security policies for IM, many have got so comfortable using the free consumer version they could find themselves in trouble if they are forced to shut the service down because of security issues.
"A lot of companies have left themselves quite exposed by using public IM software but as you see more threats happening to IM, more companies are setting up policies and secured systems. However, IM is a primary communications method and if they start talking about turning it off they will damage their business," said Fadaghi.
Fadaghi said one good thing to come from the MSN Messenger vulnerability is that the security threat from IM has been highlighted.
"It wasn't on the list of things that the CIO was worried about. If anything, the CIOs out there may now start seeing IM as a serious threat to corporate security," said Fadaghi.
Gartner's Orans said that IM's popularity is making it unrealistic for a company to block the service completely, which leaves administrators with a number of options.
"In many enterprises, one or more business units can make a compelling case for the need to use IM. Enterprises have three options: Implement an enterprise IM solution, deploy a solution that makes it possible to build policies around public IM services, or do both," said Orans.
For a little balance...it might be worth looking at the impact of the flaw. Ok, how long were your family and kids vulnerable to IM web-stalkers with the technical ability to exploit it? The industry has a responsibility to admit this to the public in a way they can understand, not just to discuss this amongst ourselves using technical jargon.
We may be proficient enough to secure our systems, while the general public and tomorrow's market place are left in the dark. They are entitled to make informed choices - and I predict there will be a Senate enquiry into the "security industry" within the next 18 months. You know why.