Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.

for ppl who use msn

Status
Not open for further replies.

stevey

DNF Regular
Legacy Exclusive Member
Joined
Aug 23, 2004
Messages
679
Reaction score
0
for ppl who use msn

BOSTON, MA: FEBRUARY 8, 2005 – Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today published a vulnerability in Microsoft’s MSN Messenger, an instant messaging program currently used by over 130 million people worldwide. Core researchers discovered that by selecting a specially-crafted graphic as the user’s display picture in MSN Messenger, an attacker could trigger a buffer overflow vulnerability on the chat partner’s computer and surreptitiously take over machines running instant messaging software. The attack would travel through the established chat session and would pass unnoticed by firewalls, network intrusion detection systems and even host-based personal firewalls and antivirus software. According to the vendor, Windows Messenger and Windows Media Player are also affected by this vulnerability.
“This is a critical security flaw since it directly affects more than 130 million users and because the attack is very likely to go unnoticed by the several layers of security countermeasures commonly used today,” said Ivan Arce, CTO at Core Security Technologies. “Since initially reporting the flaw, we have been working closely with the vendor and we are pleased to see that a fix is now available.”

Vulnerability Specifics: The MSN Messenger protocol allows for the transmission of images between users during electronic conversations. The image format used to transfer those images is called Proprietary Network Graphics (PNG). When a user selects a picture to be displayed, Messenger converts it to the PNG format, with a fixed size and encoding characteristics. These images are then transmitted over the same communication channel used to exchange text messages. By sending a specially crafted PNG image, an attacker can trigger a buffer overflow and execute arbitrary code on the chat partner’s machine.

Other Vulnerability Related Facts:

Microsoft estimates the number of MSN Messenger users to be around 130 million worldwide (http://www.microsoft.com/presspass/press/2004/jul04/07-08FlirtingPR.asp).
Systems running vulnerable MSN Messenger clients on Windows XP with Service Pack 2 installed are also exploitable.
The vulnerability is exploitable in MSN Messenger client software up to version 6 including binary files compiled with the Visual Studio GS stack overflow protection mechanism. MSN Messenger 7 (beta) clients are not vulnerable.
Exploitation of the vulnerability can be carried out though the same communications channel used by legitimate users for normal chat sessions, therefore it is very difficult to differentiate attacks from normal traffic.
A similar vulnerability in the open source libPNG image-processing library was discovered by Chris Evans and fixed in August 2004.

Microsoft denies this security flaw has anything to do with the MSNM network being down.
 
Dynadot - Expired Domain Auctions

Dark_One

Level 4
Legacy Gold Member
Joined
Nov 30, 2004
Messages
119
Reaction score
0
Thanks for telling us about that :)
 

Mr Webname

Oldbie
Legacy Exclusive Member
Joined
Jan 29, 2003
Messages
3,743
Reaction score
0
New msn was made available couple of days ago - wonder if this was a fix?
 

daddypi

Level 8
Legacy Platinum Member
Joined
Jun 30, 2004
Messages
2,340
Reaction score
0
Luckily I only chat with people I know and trust.
 
Status
Not open for further replies.

Who has viewed this thread (Total: 1) View details

Who has watched this thread (Total: 5) View details

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Members Online

Sedo - it.com Premiums

IT.com

Premium Members

MariaBuy

Upcoming events

Our Mods' Businesses

UrlPick.com

*the exceptional businesses of our esteemed moderators

Top Bottom