Microsoft Corp. on Friday lashed out at two security research firms for publishing proof-of-concept exploit code for MSN Messenger hours after Microsoft released security patches for the product.

In one instance, the software giant said malicious hackers have modified the proof-of-concept code into an exploit that puts millions of users at risk of code execution attacks that require no user interaction.

Moving swiftly to blunt an attack, Microsoft has decided to push out patched versions of MSN Messenger as a mandatory update. As of Thursday evening, users of the popular instant messaging client must update to MSN Messenger version 6.2.0205 or the MSN Messenger 7.0 beta before they are allowed to log on.

“When the vulnerability was announced this week we initially introduced an optional upgrade and had plans to make the upgrade mandatory,” a Microsoft spokesperson said. “But when we learned that detailed exploit code had been published on the Internet we felt the need to take decisive action.”

According to the exploit code seen by eWEEK.com, an attacker need only load a malicious PNG (Portable Network Graphics) file as a buddy icon to launch an attack against every MSN Messenger user on a buddy list.

Microsoft late Thursday released a security advisory to warn customers of the risk. The company also provided step-by-step instructions in a separate notice for both consumer and enterprise MSN Messenger users.

Source: eWeek