Instant Messaging

If you use a consumer IM program from AOL, MSN, or Yahoo!, beware! Two buffer-overflow vulnerabilities were recently discovered in AOL Instant Messenger. These vulnerabilities would have allowed attackers to run code on your computer and control it remotely. AOL claims they fixed the problem on their servers, but you should upgrade to the latest version of AIM just to play it safe.

In older versions of MSN Messenger and MSN Chat Control, an ActiveX control that lets you create online chat rooms has a vulnerability that could allow an attacker to run code on your computer. Microsoft has a patch for it (Security Bulletin MS02-022), but you should upgrade to the latest version of MSN Messenger to be safe. Older versions of Yahoo! Messenger also contain security flaws that allow hackers to run code on your computer, so you should also upgrade to the latest version of Yahoo! Messenger.

Consumer instant-messaging programs don't use encryption, which means your information is subject to hacking. IM also advertises your whereabouts. It's a prime example of presence awareness technology, described in Chapter 6. If you use an instant-messaging program, keep security in the front of your mind. If you don't use IM, and MSN's annoying MSN Messenger icon pops up every time you boot, know that Microsoft designed it that way and you have to disable it! If you have Outlook, you might even have to disable it twice.

To disable MSN Instant Messenger from loading (in Internet Explorer 6)

1. Click the Tools menu in Internet Explorer 6.

2. Uncheck Windows Messenger (if it's checked).

To disable MSN Instant Messenger from loading (in Outlook)

1. Click Options on Outlook's Tools menu.

2. Click the Other tab.

3. Uncheck Enable Instant Messaging in MS Outlook (if it's checked).