Messenger Virus FUD Spreads Across Net

News of a virus affecting MSN and Windows Messenger has begun to surface on several Web sites, and appears to be causing more ruckus than the actual bug itself. The rumors stem from a vulnerability in Internet Explorer discovered last year that allows a Web site to access local objects such as Messenger contacts through the document.Open() method.

In a security bulletin posted last week, researchers Tom Gilder and Thor Larholm warned of the possibility for a Web site to utilize this flaw and send messages to MSN contacts without a user's knowledge. The recent confusion is caused by a malicious Web page that sends a message to each visitor's contact list containing a link to itself. If the link is clicked, that user's contacts will also receive the message, and so on. Microsoft patched this problem in the most recent IE security update, which the company "strongly urges" all Windows users to install.

Because the problem lies within Internet Explorer, users do not need to worry about a virus being spread through Messenger. The best way to prevent falling victim to such malicious code is to follow best security practices, such as keeping Windows up to date with the latest patches and not clicking links without knowing where they lead - even from friends or family.

A Web page has been set up to demonstrate the vulnerability, but will not work with the 11 February 2002 Cumulative Patch installed.