Gartner Group warns enterprises of inherent security threat of IM
Businesses advised to subject instant messenger platforms to same security restrictions as e-mail, and to rapidly apply patches.
Gartner Group is warning enterprise organisations to reassess the use of Instant Messenging (IM) platforms in the enterprise due to security reasons. At the start of May, Microsoft issued a patch for a vulnerability in the Chat Control component included in its MSN Messenger software. However, this is merely the latest in a string of security incidents surround free IM platforms.
The Microsoft security hole allows an attacker to execute code on the target machine. An attack is likely come from some future worm, or self-propagating virus.
“Instant messaging (IM) platforms have had vulnerabilities before, but attacks required the user to take some action ‘Go to this cool site’. This new vulnerability raises the spectre of a destructive self-propagating worm that could have several ‘heads’ exploiting various paths, one of which would be MSN Messenger,” states a Gartner Group report.
Although IM potentially increases productivity between workers in and between enterprises, allowing IM traffic through the corporate firewall can create a serious security threat.
“The inherent weaknesses in both the software and infrastructure of the major free IM providers – [such as] AOL Time Warner, Microsoft and Yahoo - create significant risk for enterprises allowing IM traffic through the enterprise firewall,” says the Gartner report.
Gartner Group has issued a number of security recommendations to enterprises, including saying on top of the recent spate of security alerts and the rapid application of patches as and when they become available. Also, IM should be subjected to the same security measures as e-mail.
Long term, organisations should also investigate the possibility of using enterprise-controlled IM and presence servers, which will offer better security than free public services.
“When choosing between competing IM systems, enterprises should heavily weight the security of the code,” adds the report.”