Microsoft Slips a Plug in a Patch


By Stephen H. Wildstrom Q: Last night I came home to find that my kitchen PC suddenly was using MSN, not Google, for its Internet Explorer home page. I was just changing it back, thinking the nanny had changed it, when my wife commented that all the PCs at her office had done the same thing. Then I found all my children's computers had done the same thing. As a point of principle, I'm deleting MSN Messenger from all my PCs since it appears that big brother Microsoft (MSFT) has lost control of itself.

A: It looks like Microsoft tried to get a little benefit for itself when it repaired a serious security flaw.

Here's what seems to have happened to your computers. On Feb. 8, as part of a huge batch of Windows security updates, Microsoft released a patch for a "critical" vulnerability in MSN Messenger that could allow hostile code to be hidden in an image. Within a couple of days, information on how to exploit the vulnerability was circulating on the Internet, and Microsoft decided it needed to take further, more drastic action to protect Messenger users. So it made installation of the patch mandatory.

As of Feb. 11, users who had not updated their copies of the Messenger software were blocked from logging on to the instant-messaging service. Because of the nature of the vulnerability -- it could have compromised computers when users did nothing more than open an IM -- this was the right action to take.

However, Microsoft went a bit further than was strictly necessary. During the course of installing of the update, the user is offered several options unrelated to security, one of which is "Make MSN My Home Page." It is checked by default. So if you don't pay close attention -- and you should always pay close attention to these options when doing any sort of installation -- the next time you start IE, your home page will have changed. This is perilously close to the browser hijacking that's a characteristic of many spyware programs.

DOUBLE HIJACK. Microsoft should be ashamed of itself for trying to turn its own security flaw to its commercial gain. There's no reason to believe that customers installing a mandatory security fix also want to change their browser home page to an MSN portal, and there's even less excuse for trying to spring a change on the unwary.

Interestingly, the test version of Microsoft's new AntiSpyware program does something similar. When it detects a browser hijacking, it attempts to change the home page to MSN rather than to a blank page or a page of the user's choosing, in effect, hijacking the already hijacked page. It's Microsoft's privilege to set MSN as the default home page for Internet Explorer, but if the customer decides to change the setting, Microsoft should respect the choice and stop looking for sneaky ways to change it back. Wildstrom is Technology & You columnist for BusinessWeek. Follow his Flash Product Reviews, only at BusinessWeek Online


The Good Business Issue
LIMITED-TIME OFFER SUBSCRIBE NOW
 
blog comments powered by Disqus