We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,021 News Articles

Microsoft plugs more gaps in software

Chat patch is patched up and there are moves to fill Gopher hole

Microsoft is busy patching up holes in its software again, releasing two security bulletins. The first updates a patch it released for a handful of its chat software clients back in May, while the second details a workaround to a flaw in its Internet Explorer web browser that comes as a result of the ageing Gopher protocol.

The vulnerability in MSN Chat, MSN Messenger and Exchange Instant Messenger addressed by the patch released on 8 May could have allowed an attacker to run code on target machines via a buffer overflow in ActiveX.

Such buffer overflows occur when the space reserved for programs or services in memory is overrun, allowing attackers to run code or take over systems.

The original patch did not, however, stop the affected ActiveX component from being reinstalled on systems in all cases, leaving the potential for patched systems to become vulnerable again, Microsoft explained. To address this, it has released a new set of fixes for all three affected products.

The new security alert, patches and updated versions of the programs can be found here.

This most recent patch update is not the first time in recent months that Microsoft has needed to fix a security fix. In May, the company released a patch for Internet Explorer that, security researchers charged, did not close all the holes it claimed to.

Microsoft encountered a similar problem in February, when another patch for IE caused the browser to crash.

The company's second security bulletin provides users with a way to protect themselves from attack using the Gopher protocol, although there is still no patch for this issue.

The Gopher vulnerability potentially gives a remote user access to a host computer, by exploiting a buffer overflow bug in IE's gopher code.

The company's warning about the Gopher vulnerability marks Microsoft's official acknowledgement of the bug. When Online Solutions Oy, the Finnish company that discovered the flaw, released its advisory, Microsoft said only that it was investigating the issue and did not confirm it.

Microsoft's work-around for the issue is the same as that provided by Online Solutions: Users should: select Tools, Internet options, Connections then click on LAN settings and check 'Use a proxy server for your LAN'. Next click Advanced and, in this area where users can define proxy servers to be used with different protocols, go to the Gopher text field and enter 'localhost', and '1' in the port text field.


IDG UK Sites

EE brings 4G LTE to Cornwall and a total of 21 new towns

IDG UK Sites

iOS 8 review: Hands on with the iOS 8 beta

IDG UK Sites

5 things Android Wear *can't* do: Smartwatch OS is great but not flawless

IDG UK Sites

Sharknado 2 VFX: how The Asylum created CG flying man-eating sharks