Gartner tells enterprises to wake up to IM Threats

By Sean Michael Kerner
February 22, 2005
 
About a week ago, Microsoft blocked access to noncurrent versions of MSN Messenger client software to protect against a critical flaw for which exploit code was widely available. According to Gartner, the incident should serve as a wake-up call to enterprises that don't have an IM policy in place.
A few hours after Microsoft issued a patch to protect users against a flaw in the "libpng" component that is used view avatar icons, exploit code became widely and publicly available courtesy of a pair of security research firms. The exploit as described was deviously simple to execute and required only that a user accept an incoming message request and view the sent malicious avatar in order to become infected.

According to Gartner, the MSN Messenger exploit highlights the risks of not establishing and implementing an enterprise IM policy. The research firm noted that due to the public and free availability of IM clients such as MSN Messenger, Yahoo! Messenger and AOL Instant Messenger, the volume of IM traffic as well as the actual number of installed IM clients are unknown by most enterprises.

While Gartner praised Microsoft for acting quickly to prevent damage to users, they warn that the next time users may not be so fortunate. "The next time an IM exploit emerges, Microsoft or another IM provider may not be able to respond as quickly or as effectively," Gartner's analysis stated.

For its part, Microsoft is confident that its security response process is doing its job. "When a security issue threatens customers, the MSRC (Microsoft Security Response Center) quickly mobilizes several specially focused teams to investigate, fix and learn from security vulnerabilities and provide timely and prescriptive guidance for our customers," a Microsoft spokesperson told InstantMessagingPlanet.com. "We are confident in our response process and its ability to respond quickly to help protect our customers facing any security threat."

Even though Microsoft is ready to serve and protect, Gartner warns enterprises to take responsibility for ensuring that the use of IM does not compromise their security. "If necessary, they must be able to temporarily shut it down when a serious security threat emerges."

That said, Gartner recognizes that the popularity and business utility of IM in many environments means that it's unrealistic to block IM traffic entirely. Gartner has three recommendations for enterprise usage of IM: implement a policy solution for public IM services, use an enterprise IM solution or deploy a combination of both.

Gartner also noted that installing enterprise-wide security solutions such as firewall, proxy cache, URL filtering and secure e-mail solutions provides a degree of IM security, but noted that approach offers less granular policy control than solutions that are specifically tailored for public IM services.

Microsoft agrees that enterprises should be using an enterprise grade IM platform, preferably its own.

"While Microsoft offers MSN Messenger for consumer IM needs, Microsoft encourages companies to deploy a security-enhanced enterprise-grade IM platform to share IM and deeper presence information," Microsoft's spokesperson said. "More and more companies are required to keep sensitive business information, exchanged over IM, encrypted and logged, making Live Communications Server 2005 ideal for use in regulated environments."

Many organizations have not properly implemented enterprise IM policies, according to Gartner analyst Lawrence Orans, because they are hoping that an attack won't happen to them.

"Many organizations are 'looking the other way' when it comes to IM security," Orans told InstantMessagingPlanet.com. "There hasn't been much publicity about IM threats and attacks, and it pales in comparison to [coverage of] spyware threat and e-mail borne attacks."

Sean Michael Kerner is a frequent contributor to InstantMessagingPlanet.com.