MS02-022: Unchecked Buffer in MSN Chat Control Can Lead to Code Execution
Posted by Daniel Fleshbourne on 09 May 2002 - 10:44 · 10 comments & 212 views
About the Author
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Full name: Daniel Fleshbourne
Forum name: Daniel
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
Who is Affected: All customers using the Microsoft® MSN Chat control, which is available for direct download and ships with MSN Messenger and Exchange Instant Messenger.
Impact of vulnerability: Run Code of Attacker's Choice
Maximum Severity Rating: Critical
Affected Software:
The Redmond, Wash.-based software maker issued a critical security bulletin to users advising them to upgrade by visiting an MSN Chat site and downloading an upgraded new chat control, or by upgrading on the site to the latest version of MSN Messenger or Exchange Instant Messenger.
The chat control feature is not automatically included in Windows Messenger, which is installed with the XP version of Windows, Microsoft's flagship operating system.
The company was aware of no user who had been hacked via the flaw, Microsoft Security Program Manager Christopher Budd said, though he cautioned users not to be complacent about downloading the upgrades.
MSN Messenger has some 46 million users, but the chat control is automatically included only in the two latest versions, 4.5 and 4.6, Budd said.
He said the company had been informed of the flaw by a security firm about a month ago but did not disclose it until late Wednesday because it was developing the fixes or "patches" for customers to download.
Version 4.5 was released in October 2001 and version 4.6 was released two months later.
"Software always will have flaws," Budd said. "We always do our best to ensure we do not have flaws or vulnerabilities, but while we strive for perfection, we know we're not always going to achieve perfection."
Last month, the company released a new plan, called "Trustworthy Computing," whose goal is to fix security flaws in its Web server software, the most serious of which could let a hacker take over someone else's server. The plan followed a series of embarrassing security flaws and growing criticism that the software giant had been ignoring the flaws for too long.
Microsoft said the newest vulnerability was caused by what is known as a "buffer overflow problem." Hackers could use the problem to run their own malicious commands in a user's computer.
Buffer overflows occur when software is programmed to accept information but not given the ability to validate or limit it. That allows hackers to send commands that an operating system is not expecting but that end up in a computer's memory and are executed.
In February, Microsoft warned of an unrelated flaw in MSN Messenger that could allow a hacker to gain access to screen names and e-mail addresses.