Microsoft has outlined plans to push a mandatory Windows Live Messenger upgrade in order to plug a security hole related to a vulnerable code library.
The security vulnerability stems from the use of a vulnerable version of Microsoft's Active Template Library (ATL). A programming error involving the inclusion of an extra "&" character meant that any software packages that made use of the ATL library template inherited a critical software flaw.
Software developers across the IT industry used the vulnerable ATL library to write application components, or more specifically Component Object Model code, including ActiveX controls.
Windows Live Messenger 8.1 and 8.5 are both also vulnerable as a result of the same ATL problem. Microsoft has already begun offering a voluntary update but, starting later this month, will force users to upgrade to the the latest version of Live Messenger if they want to use Microsoft's IM service.
Users already on version 14 of Live Messenger will also be pushed towards the latest variant, version 14.0.8089, but mandatory updates in these cases won't happen until late October, as explained in a blog post by Microsoft here.http://www.theregister.co.uk/2009/09/02/messenger_update/