RealTime IT News

Microsoft Warns Again on MSN Chat Flaw

Users of Microsoft Corp.'s MSN Messenger, Exchange Messenger and MSN Chat software who applied a security patch last May for current versions of those packages are not safe if they have installed previous versions of the software after applying the patch.

In a security bulletin, Microsoft said the May patch works fine. But a new set of fixes is being released to ensure that systems are fully protected against the reintroduction of the vulnerable control, which happens when older versions of the software are used. A new MSN Chat control, updated patch, updated version of MSN Messenger and an updated version of Exchange Instant Messenger have been made available.

Customers who applied any of the May fixes, though, are being encouraged by Microsoft to consider applying the updated fixes.

The entire security bulletin, which includes access to the new patches, can be found here.

The flaw lets malicious hackers effectively take control of a user's system -- a situation Microsoft says is "high" in severity. A user would have MSN Chat on her computer from either a direct download of the program from an MSN Chat site, or through inclusion with Microsoft's MSN Messenger and Exchange Instant Messenger.

The susceptibility comes from an unchecked buffer in the code that handles the input of a parameter in the MSN Chat control. By invoking this parameter in a specific manner, an attacker could overflow the buffer and gain the ability to run code in the user's security context.

Since the MSN Chat control runs in the security context of the user, the program would be able to take any actions that the legitimate user was capable of taking, including the adding or deleting of data or configuration information.

The buffer overflow can be initiated via e-mail, a Web page, or any other method where Internet Explorer is used to display HTML. If an attacker successfully enticed the user to visit his site, the control would be invoked once the Web page had loaded. If the page is sent as an HTML-based e-mail, the control would be invoked when the page renders either by opening the mail or through a preview pane.

Microsoft is quick to point out that the vulnerability does not affect IM technologies. MSN Chat is different from MSN Messenger, Windows Messenger or Exchange Instant Messenger in that those technologies are peer-to-peer messaging products and allow users to talk directly with each other. MSN Chat, meantime, is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. While users of IM technologies log on to a directory server to announce their availability, there are no "rooms" as in MSN Chat and users exchange messages directly with one another.

Also today, Microsoft issued a workaround bulletin for an Internet Explorer Web browser security flaw found last week by Finnish computer-security company Online Solutions Oy.

According to the firm, IE is vulnerable to attack through its built-in gopher client (define). The attacker could exploit a buffer overflow bug to run arbitrary code on various IE versions, including 5.5 and 6.0. A malicious hacker could use the fault to take control of a user's computer.

Any attack could be launched via a Web page or an HTML mail message that would redirect a user to a malicious gopher server. At that point, according to the Online Solutions Oy's advisory, "the exploiter could do anything that a regular user could do on the system: retrieve, install, or remove files, upload and run programs, etc."

Patches for the flaw are under development and will be posted as soon as they are completed, Microsoft said. The specific workaround can be found in the "frequently asked questions" section of the workaround bulletin.

Bob Woods is the managing editor of InstantMessagingPlanet.