Preventing automatic Photo Sharing in Windows Live Messenger 2009

UPDATE (Aug 20/09): The latest version of Messenger will break the patch here as the new version is a different file.   Fortunately A-Patch has now been updated with this option, and works with the updated version of Messenger, so I would recommend you use that tool to make this change instead.  If there’s any real demand, I’ll update this patch here, but I expect there will not be.  For those manually patching themselves, the new offset is hex 164118.

---

It took much longer than I personally expected, but the automatic Photo Sharing function in Windows Live Messenger has finally been patched.  Surprisingly it was done by Rafael Rivera (of uxtheme, Blue Badge, and other fame) and not in one of the common Messenger patches (not yet anyway).

Rafael documents what needs to be changed on his site, but if you want to skip that or you’re not comfortable editing binary files, I threw together a quick patcher using PatchWise Free.

Download the patcher  (see update above as this may not work on your version) 
You’ll need the latest Messenger installed, but since the latest mandatory update, you should already have it.

What this does exactly
This allows you to drag-and-drop images into the Messenger conversation window or copy/paste image files into Messenger without the Photo Sharing feature being triggered.  Instead, Messenger will send the images as a normal file transfer.  If you still want to use Photo Sharing however, just use the Photo button in the toolbar of the conversation window and the function will work there.

What’s wrong with Photo Sharing?
The only real problem with Photo Sharing is that you can’t turn it off.  Photo Sharing is quite useful for showing someone an image quickly that they may or may not want to keep, but if you’re sending screenshots or other detailed images, it really becomes a nuisance as you have to go through the whole Save, switch to desktop, open file procedure repeatedly.

Doesn’t Plus! do this already?
The latest Plus! version contains a special registry value you can add to deal with when you copy/paste actual bitmap images.  It does not deal with copy/pasting files themselves or a drag-and-drop operation.  For those not aware, the value is OverrideImgTransfer and would go at HKEY_CURRENT_USER\Software\Patchou\Messenger Plus! Live\WindowsLiveID@Emailaddress.com\Preferences (where WindowsLiveID@Emailaddress.com is your Live ID).  Rafael’s change deals with this situation as well, so this key is not required.

Thanks!
Don’t thank me, I’m just the messenger (pun intended).  Head over to Rafael’s blog and leave a comment there for him!

How to avoid a phishing worm on Messenger and what to do if you’ve been affected

As the most used instant messaging service in the world, it’s become more and more common to find your contacts sending out virus, spam and worm links through Messenger.  There’s a lot of different types and different steps for removal, but the one most recently affecting people is a “phishing worm”.

The worm
More than likely you’ve seen the following from one of your contacts recently:
 

There’s no need to analyze the link, as it seems to randomly change and most likely new sites are added regularly.  Although Messenger has allowed messages to be sent while appearing offline for quite some time, it’s important to note that these messages are sent out as offline messages (although no doubt this won’t always be a fact). As I know “Ruth” rather well, knew she wasn’t at her computer, and know this message isn’t something characteristic of her, I immediately knew this wasn’t legitimate.

Your best bet is to to stop here and not bother clicking the link without asking for confirmation of what this is from your contact.  However, if you do proceed, you may find yourself at a web site like the following:

 
Although this isn’t a good fake, it does appear somewhat similar to the Messenger user interface and judging from the number of these links sent to me over the past few weeks, it has in fact tricked quite a few people.  Once you provide your Windows Live ID username and password, it saves this information on the scammers server and redirects you to another web page full of advertisements and pointless images.

The scammers now have your credentials and can start their dirty deeds — logging into Messenger as you, looking through your e-mail, accessing your Microsoft billing information (if you have any) and spamming others with similar links.  You wouldn’t trust a stranger coming up to you asking for your credit card information, so why would you trust a random website with your Messenger credentials?

The worst part of this whole process is that the typical support response is to run a virus scanner.  This of course will find nothing (although a good percentage of Messenger worms and viruses aren’t detected by scanners anyway), as the scammers are logging in from another computer using the provided username and password.  While this fruitless effort to find a non-existent virus on your computer is in progress, someone could be using or selling your information.  Your information might be used within hours, days, or even years long after you’ve forgot this happened.

It is absolutely essential to change your password after your account has been compromised in this fashion on both Windows Live ID (which includes Messenger) and other sites where your log in using the same e-mail address (Facebook, for example). 

Verifying you are at a true Microsoft site and changing your password
Most major web sites on the web today utilize an Extended Validation (EV) certificate.  In most browsers this will appear with a green bar at the top.  Among other security measures and encryption, this indicates that the site has gone through an audit to verify the identity of the site.  To show this in action, let’s head over to https://account.live.com/ChangePassword.aspx to change the Windows Live ID password.

Even if the site appears to look like a Live ID sign in page, look for the green address bar, lock icon and company name to verify it truly is.  Additionally, depending in your Windows version, browser and Live ID site you’re signing into, you might need to click the ‘Sign in using enhanced security’ link on the page to see these indicators. 

Finally you’ll arrive at the password changing page and can change your password.  One minor feature that’s been added recently is an option to prompt you to change your password every 72 days.  I’m not quite sure how this will work with regards to Messenger yet, but time will tell.

As mentioned previously, you should now use similar password changing facilities in other sites which utilize the same e-mail address and password to log in.

Easy steps to remember
To conclude, here are some easy steps to remember to avoid this happening to you:

1. Before accepting an invitation or clicking on a link, verify that it appears to be legitimate.  If in doubt, ask your contact.
2. If a site is prompting for your username and password, verify your information will be going to a legitimate source that you trust.
3. Don’t trust antivirus software to save you.  Use discretion and avoid installing or running any applications from web sites you don’t trust, even if they came from a contact you do.

What exactly is the “Important service announcement” for?

A few days ago, Microsoft accidently started sending an “Important service announcement” to Hotmail-based Windows Live IDs informing them that they had to change their Live ID e-mail address.  There’s been plenty of coverage over at the MessengerSays blog, Windows Live Team blog, Neowin, LiveSide, and others, but there was no explanation given for what this feature is normally used for.

The message
Confusion isn’t at all unexpected given how the message is presented.  The message comes from messenger@microsoft.com with “Windows Live(TM) Messenger Service Staff” as the display name of the contact.  It then goes on to tell you that “As part of a recent system enhancement, we need you to change your e-mail address to continue signing in to the Windows Live(TM) Messenger Service” and then provides a link to http://support.microsoft.com/gp/Messenger/.

Just given the language used, this should most likely trigger warning bells in most people’s heads expecting a phishing scam.  However, in this particular instance, it is a completely legitimate message.  Firstly, @microsoft.com Live IDs are reserved (more on this later) and can’t be faked or manually registered like typical e-mail domains on Messenger/Live ID.  Secondly, although this feature has existed for many years , the “recent system enhancement” would typically be indicating a new corporate/enterprise roll-out (more on this later too).  Finally, if you visit the link presented, it will provide you with a partial typical explanation of why you’re receiving this and what to do — well, or at least provide some clues.

So what is it?
As mentioned in the Help & Support article which is linked in the message, you would typically get this message if your had an existing Windows Live ID registered on a domain which recently was registered to use Office Communications Server (or the former name, Live Communications Server) and the Public IM Connectivity (PIC) feature was turned on.  When this function is engaged, that domain is now an EASI (e-mail name as sign in name) domain  — users cannot register new Live IDs on that domain directly and users are now forced to use Office Communicator to sign in to those Live IDs through their local Office Communications Server.  Therefore existing Live IDs need their e-mail address changed to continue working on the normal Live Messenger client.

Only Hotmail users
So why did Hotmail users see this?  I’m afraid only Microsoft can answer that with the details, but it most certainly was just an accidental configuration change.  Note that Hotmail addresses are also reserved in the system, so I do suspect that played a role in this small faux pas.  Additionally (note: I didn’t receive this message myself to know with complete certainty), within normal conditions Hotmail addresses are not changeable, so no real damage should have occurred from this message going out.  

Not the first time
This isn’t the first time Live Messenger has had server-based problems with similar functionality.  Back on Friday the 13th of June of last year (2008), anyone using the former 9.0 beta client would have seen the Office logo () under the display picture in each conversation window (more here).  This is exactly what you see when someone signs into the .NET Messenger Service using Office Communicator and one of these EASI domains setup for Public IM (example in Messenger 2009 shown here on the right).

Finally, I’d like to point out that this feature makes use of the same “changing ID” page that is used by the normal Windows Live ID site which broke at the end of last year.  I’ve yet to be able to get a full confirmation that the latest problems around that page are corrected, but it’s interesting to note that the problems surrounding changing a Live ID e-mail address affect both customers and enterprise users.