Microsoft confirmed last week that its instant messaging programs MSN Messenger and the Windows Messenger included with the company's Windows XP operating system can allow users' names and email addresses, along with those of all their chat buddies, to be viewed.

The flaw allows a Javascript placed on a web page visited by MSN Messenger users to obtain a user's display name for the chat program and the names of all their contacts in the program.

This could allow many people's real names to be 'harvested' by malicious websites. If no display name is set in the program, the Javascript will obtain the user's email address instead.

Some websites owned by Microsoft are able to access the email addresses of users and all their contacts. The technique used by these sites to monitor user visits could also be used by other websites, if users downloaded software that changed their computer settings slightly to allow the monitoring.

The bug affects MSN Messenger 4.60073 on Windows 2000 using Internet Explorer 6.0 and the same versions of Windows Messenger and Internet Explorer on Windows XP.

The flaw, which a Microsoft spokeswoman acknowledged on Friday to be true, exists as part of a feature designed to allow Messenger users to be notified when they've received new email in their Hotmail accounts, and to see if the person who has sent an email to those accounts is online with Messenger.

Though Microsoft is treating the flaw as low-risk, it will release a new version of the Messenger products that addresses the issue early this week, the spokeswoman said. Users will be notified that a new version is available and will be prompted to download it, the spokeswoman added.

In the meantime, concerned users can go to the MSN Messenger support website for information about the issue and steps they can take to protect themselves, the spokeswoman said.