Microsoft is aware that detailed exploit code has been published on the Internet for the vulnerability addressed by Microsoft security bulletin MS05-009. Microsoft is not currently aware of any active attack utilizing this exploit code or customer impact at this time, but is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
Our investigation of this exploit code has verified that it does not affect users who have installed the updates detailed in MS05-009, for both Windows and MSN Messenger, on their computers. Microsoft continues to recommend customers apply the updates to the affected products by enabling automatic update in Windows as well as upgrading to the updated version of MSN Messenger.
Customers can install the updated version of MSN Messenger manually now by visiting http://messenger.msn.com
and clicking on the "Download Now" button on the page. In addition, in the near term, consumer customers will be automatically prompted to install the updated version of MSN messenger when they sign into the application. This update will be made mandatory at a future point in time. Alternatively, consumers can install and evaluate the new MSN Messenger 7.0 beta, which is not vulnerable to the exploit code.
Enterprise customers should visit the Download Center to obtain the updated version of MSN Messenger. In addition, enterprise customers should follow the detailed guidance available at http://www.microsoft.com/security/incident/im.mspx
- Step 1: Uninstall MSN Messenger
Uninstall MSN Messenger within your network; MSN Messenger is not intended for corporate environments. Instead, use Windows Messenger, which is included with Windows.
- Step 2: Block MSN Messenger Access ...
Block access to MSN Messenger in your environment. For guidance, see Knowledge Base article 889829.
Or Update MSN Messenger
If you prefer to use MSN Messenger, use the Enterprise Update Scanning Tool to determine vulnerable systems on your network and upgrade them to the latest version through the MSN Messenger Web site or the Microsoft Download Center (for file locations, see Microsoft Security Bulletin MS05-009).
If you have any questions regarding the security updates or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary at the number located at http://support.microsoft.com/security
Microsoft PSS Security Team