Home › Forums › Archives › Site News & Announcements › Instant Messaging News › Windows Live Messenger News › Microsoft Warns of Critical Instant Messaging Flaw
- This topic has 0 replies, 1 voice, and was last updated 21 years, 10 months ago by BigBlueBall News.
-
AuthorPosts
-
May 8, 2002 at 5:00 am #16156BigBlueBall NewsMember
Newsbytes
May 8, 2002
A security flaw in Microsoft’s instant messaging services could enable remote attackers to take control of users computers, the company warned today.
Microsoft has rated the vulnerability “critical” on client systems and advised customers using MSN Messenger and Exchange Instant Messenger to immediately upgrade to a new version released today.
Customers who use Microsofts multi-user, Web-based MSN Chat service are also advised by the company to download a new version of the program.
According to Eeye Digital Security, which reported the flaw to Microsoft, an ActiveX control used by the services contains a buffer-overflow vulnerability that can be exploited through a malicious e-mail message,
Web page, “or through any other method where Internet Explorer is used to display HTML that an attacker supplies.”In an advisory today, Eeye warned that the flaw in the “MSN Chat OCX control” enables an attacker to “supply and execute code on any machine on which MSN Messenger with the ActiveX is installed.”
As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.
“The attack doesnt happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you,” said Marc Maiffret, Eeyes “chief hacking officer.”
Eeye is not currently aware of any tools “in the wild” that target the vulnerability, but Maiffret said the flaw is “easy to exploit, so people will
soon have them.”The MSN Chat control vulnerability, as well as a similar flaw in an ActiveX control used by Macromedias Flash software, was discovered
by Drew Copley, a quality assurance expert with Eeye.After upgrading to the new version of MSN Messenger, the version number of the software should read “4.6.0079,” Microsoft said. For customers using the Web-based MSN Chat control, the patched version number is version 2.3.204.3001
Microsofts bulletin on the MSN Chat control bug is posted online.
Eeyes advisory on the flaw is also online.
http://www.washingtonpost.com/wp-dyn/articles/A56332-2002May8.html
-
AuthorPosts
- You must be logged in to reply to this topic.