Security E-Mail Raises Alarm

The .NET Messenger team’s initial notice to users about the Sept. 2003 service change generated some confusion and illustrated that Microsoft does not yet have coordinated, companywide standards for communicating security-related matters.

To notify users of the change, the .NET Messenger team sent an e-mail to all users thought to have one of the affected clients. The e-mail told them they needed an “important MSN Messenger or Windows Messenger security update” and that the change was “part of Microsoft’s Trustworthy Computing initiative.” This e-mail was sent to the Passport e-mail name last used to log on to the service (e.g., “user@hotmail.com,” “user@msn.com“).

The e-mail backfired. Customers wondered if there was a critical vulnerability that needed to be patched and, if so, why Microsoft hadn’t issued a bulletin accessible from the Microsoft Security Web site as it usually does in cases like this. Adding to the confusion, in Apr. 2003 Microsoft told customers never to trust unsigned e-mails purporting to be from the company, as these e-mails might be hoaxes containing virus attachments. In addition, the first line of the e-mail was written in all capital letters, and some customers received multiple copies of the e-mail—common characteristics of hoax e-mails.