A vulnerability in Microsoft’s Chat Control program can affect several popular messaging-related titles from the software giant, including the MSN Messenger and Exchange Instant Messenger IM programs. A malicious hacker taking advantage of the weakness can effectively take control of a user’s system — a situation Microsoft says is “high” in severity.
It mainly affects users of Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control; Microsoft Exchange Instant Messenger 4.5 and 4.6, which also includes the MSN Chat control. Individual MSN Chat users are also affected.
A user would have MSN Chat on her computer from either a direct download of the program from an MSN Chat site, or through inclusion with Microsoft’s MSN Messenger and Exchange Instant Messenger.
The susceptibility comes from an unchecked buffer in the code that handles the input of a parameter in the MSN Chat control. By invoking this parameter in a specific manner, an attacker could overflow the buffer and gain the ability to run code in the user’s security context.
Attackers using this weakness can successfully run a program on a system that had the control installed. Since the MSN Chat control runs in the security context of the user, the program would be able to take any actions that the legitimate user was capable of taking, including the adding or deleting of data or configuration information.
The buffer overflow can be initiated via e-mail, a Web page, or any other method where Internet Explorer is used to display HTML. If an attacker successfully enticed the user to visit his site, the control would be invoked once the Web page had loaded. If the page is sent as an HTML-based e-mail, the control would be invoked when the page renders either by opening the mail or through a preview pane.
Fortunately, the fixes are pretty simple. Those people using MSN Chat should upgrade their software by visiting an MSN Chat site. For this fix to start, a user must enter a chat room and accept for download the updated Chat control. MSN Messenger and Exchange Instant Messenger users should upgrade to the latest version of those software titles.
The Chat Control component does not ship by default with any version of Windows or IE. Those who are using Microsoft’s latest mail products, Outlook 2002 and Outlook Express 6.0, are protected by default against HTML email-borne attacks. Outlook 98 and Outlook 2000 users who have also implemented the Outlook E-Mail Security Update are also protected from this kind of attack.
Because any code run by a malicious hacker would appear as if it is coming from a user and not from the operating system, any security limitations on the user’s account would also be applicable to any code run by successfully exploiting this vulnerability. For companies where user accounts are restricted, like in an enterprise environment, any action an attacker’s code could take would be limited by these restrictions.
Microsoft is quick to point out that the vulnerability does not affect IM technologies. MSN Chat is different from MSN Messenger, Windows Messenger or Exchange Instant Messenger in that those technologies are peer-to-peer messaging products and allow users to talk directly with each other. MSN Chat, meantime, is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. While users of IM technologies log on to a directory server to announce their availability, there are no “rooms” as in MSN Chat and users exchange messages directly with one another.
The vulnerability in question only affects the MSN Chat control and not MSN Messenger or Exchange Instant Messenger, the software giant added.
But eEye Digital Security says that all Internet Explorer users are potentially affected because the ActiveX can be called from the codebase tag, which would prompt the user to install the ActiveX with Microsoft’s credentials because the OCX is signed by Microsoft. Users that have not installed Microsoft Messenger or that have not upgraded Microsoft Messenger can only be affected if they accept the pop-up “Install Now” signed by Microsoft.
Microsoft acknowledged this point, but it pointed out that a malicious hacker “would have to entice the user to visit their Web site and convince the user to accept and install the control when offered. Since the chat control is meant to be used in conjunction with chat sites, it would be worth questioning the trustworthiness of any site that unexpectedly offered a chat control for download. The best action would be to refuse the download offered.”
Bob Woods is the managing editor of InstantMessagingPlanet.