IM still a security weak spot, analysts warn
The recent MSN Messenger fix is a reminder that instant messaging can still pose a threat to corporate security.
Last Friday, Microsoft forced its millions of MSN Messenger users to download a new version of the software to plug a security vulnerability.
The software giant put the mandatory upgrade in place after a security company posted information that might help a would-be attacker exploit the vulnerability. Users of the instant-messaging application were greeted with a notice to upgrade before they could view their buddy lists.
Analyst firm Gartner commended Microsoft for acting so quickly to control the problem by locking out vulnerable clients, but it warned that future threats may not be so easily dealt with and that enterprises may have to take the matter into their own hands.
"Next time an IM exploit emerges, Microsoft or another IM provider may not be able to respond as quickly or as effectively. Enterprises must take responsibility for ensuring that the use of IM does not compromise their security. If necessary, they must be able to temporarily shut it down when a serious security threat emerges," Gartner analyst Lawrence Orans said in an advisory.
Foad Fadaghi, senior industry analyst at Frost & Sullivan, said that although some companies have set up security policies for IM, many have got so comfortable using the free consumer version, they could find themselves in trouble if they are forced to shut the service down because of security issues.
"A lot of companies have left themselves quite exposed by using public IM software, but as you see more threats happening to IM, more companies are setting up policies and secured systems. However, IM is a primary communications method, and if they start talking about turning it off, they will damage their business," Fadaghi said.
Fadaghi said one good thing to come from the MSN Messenger vulnerability is that the security threat from IM has been highlighted to chief information officers.
"It wasn't on the list of things that the CIO was worried about. If anything, the CIOs out there may now start seeing IM as a serious threat to corporate security," Fadaghi said.
Gartner's Orans said the popularity of instant messaging is making it unrealistic for a company to block the services completely, which leaves administrators with a number of options.
"In many enterprises, one or more business units can make a compelling case for the need to use IM. Enterprises have three options: Implement an enterprise IM solution, deploy a solution that makes it possible to build policies around public IM services, or do both," Orans said.
Munir Kotadia of ZDNet Australia reported from Sydney.