The Encode Security Labs performed an empirical analysis of the Microsoft Instant Messaging implementation based on Exchange 2000 and using the MSN Messenger Service v3.6 client. The most important findings about the IM service are: -it does not offer any confidentiality -it is vulnerable to man-in-the-middle attacks -its authentication methods are weak and only employ unilateral authentication -it does not offer any form of data origin authentication -the IM service is not easy to firewall since the server uses arbitrary port numbers to deliver messages to clients The report is available (in PDF format) from http://www.encode-sec.com/security.html Vendor notification status: Microsoft was contacted on 24 January 2002 ----------------------- Dimitrios Petropoulos MSc InfoSec, CISSP Director, Security Research & Development ENCODE S.A. 3, R.Melodou Str 151 25 Marousi Athens, Greece Tel: +3010-6178410 Fax: +3010-6109579 Mob: +30944-506334 web: www.encode-sec.com ------------------------
