A recently discovered security flaw in MSN Messenger demonstrates that instant messaging (IM) presents a serious security threat and should act as a wake up call for enterprises, industry experts have warned.

According to Gartner, firms must "implement comprehensive IM policies now" after the MSN Messenger vulnerability prompted Microsoft to restrict access to its service in a bid to prevent the exploit from spreading.

Gartner senior analyst Lawrence Orans said: "The MSN Messenger exploit highlights the risks of not establishing and implementing an enterprise IM policy."

"The MSN Messenger client, like those for Yahoo Messenger, AOL Instant Messenger and other IM services, is available for download free of charge.

"As a result, IM is so widely used that most enterprises have no idea how many IM clients are installed on their systems or how much IM traffic passes through their networks."

The warning comes after Microsoft moved to lock out any users not running the latest versions of its MSN Messenger and Windows Messenger clients after proof of concept of a vulnerability was posted on the internet.

The problem centred on the inability of older versions of MSN Messenger and Windows Messenger to properly handle corrupted image files. By exploiting this vulnerability, an attacker could take control of an affected system.

"Microsoft acted quickly to control this malicious code outbreak by denying access to clients that were not up to date," said Orans.

"However, the next time an IM exploit emerges, Microsoft or another IM provider may not be able to respond as quickly or as effectively.

"Enterprises must take responsibility for ensuring that the use of IM does not compromise their security. If necessary, they must be able to temporarily shut it down when a serious security threat emerges."

Gartner advised that, because IM has become so popular, it is rapidly becoming unrealistic to block IM traffic entirely. In many enterprises, one or more business units can make a compelling case for the need to use the technology.

The analyst firm believes that enterprises have three options: implement an enterprise IM system; deploy a product that makes it possible to build policies around public IM services; or do both.