Toms View of the World

It’s become apparent to me that the latest version of MSN Messenger is using IE to render it’s adverts, and those adverts are being served from the advertisers website, not MSN.

this is “Not Good” in a number of ways. IE is a known security hole, and general advice from security experts is “don’t use it”. I don’t want useful tools like MSN Messenger forcing it to open, and leaving a gaping hole in my PC for spyware and trojans to get through. I only discovered this situation because my IE installation is “locked down” (no scripting, no cookies etc) as I never use it anyway… (this would be a good place for the Get Firefox! link)

However, it’s worse than that - I wouldn’t be so worried if all the adverts were served from MSN’s servers, but I got a “Vauxhall.co.uk is requesting to place a cookie” message, I was very surprised that Microsoft are letting advertises serve adverts from their own domains (rather than MS’s domains) which obviosuly means that if a hacker compromises an advertisers website, he can send trojans, spyware and botnet applications to my PC, via the web-adverts in MSN Messenger.

Microsoft really need to look at this again - allowing adverts is one thing if you can tightly control the server where they are held - however, allowing ad’s to be served from anywhere that’ll pay is not on.

Unfortunately, MSN Messenger is very useful, however, I’ll have to look into alternatives like Trillian or GAIM, which is a shame as I’ll lose some functionality (like webcam conversations) - but better than that leaving a huge hole in my PC’s anti-spyware/anti-hacker defenses.

Also, By default, MSN Messenger does not allow you to disable this security hole. Fortunately, there are several 3rd party tools that do - however I don’t know if they simply prevent it displaying, or actually prevent it connecting to the websites to collect the adverts - hence I’ll be looking elsewhere for my IM clients, and will be willing to pay for a feature-full advert free system.