CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX

From: CERT Advisory (cert-advisory@cert.org)
Date: 05/10/02

Date: Fri, 10 May 2002 16:32:08 -0400 (EDT)
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org


CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX

   Original release date: May 10, 2002
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Microsoft Windows systems with one or more of the following:
     * Microsoft MSN Chat control
     * Microsoft MSN Messenger 4.6 and prior
     * Microsoft Exchange Instant Messenger 4.6 and prior


   Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an
   instant messenging client. A buffer overflow exists in the ActiveX
   control that may permit a remote attacker to execute arbitrary code on
   the system with the privileges of the current user.

I. Description

   A buffer overflow exists in the "ResDLL" parameter of the MSN Chat
   ActiveX control that may permit a remote attacker to execute arbitrary
   code on the system with the privileges of the current user. This
   vulnerability affects MSN Messenger and Exchange Instant Messenger
   users. Since the control is signed by Microsoft, users of Microsoft's
   Internet Explorer (IE) who accept and install Microsoft-signed ActiveX
   controls are also affected. The Microsoft MSN Chat control is also
   available for direct download from the web.

   The <object> tag could be used to embed the ActiveX control in a web
   page. If an attacker can trick the user into visiting a malicious site
   or the attacker sends the victim a web page as an HTML-formatted email
   or newsgroup posting then this vulnerability could be exploited. This
   acceptance and installation of the control can occur automatically
   within IE for users who trust Microsoft-signed ActiveX controls. When
   the web page is rendered, either by opening the page or viewing the
   page through a preview pane, the ActiveX control could be invoked.
   Likewise, if the ActiveX control is embedded in a Microsoft Office
   (Word, Excel, etc.) document, it may be executed when the document is

   According to the Microsoft Advisory (MS02-022):

     It's important to note that this control is used for chat rooms on
     several MSN sites in addition to the main MSN Chat site. If you
     have successfully used chat on any MSN-site, you have downloaded
     and installed the chat control.

   The CERT/CC has published information on ActiveX in Results of the
   Security in ActiveX Workshop (pdf) and CA-2000-07.

   This issue is also being referenced as CAN-2002-0155:


II. Impact

   A remote attacker may be able to execute arbitrary code with the
   privileges of the current user.

III. Solution

   Apply a patch from your vendor

   Microsoft has released a patch, a fixed MSN Chat control, and upgrades
   to address this issue. It is important that all users apply the patch
   since it will prevent the installation of the vulnerable control on
   systems that have not already installed it.

     Download location for the patch:


     Download location for updated version of MSN Messenger with the
     corrected control:


     Download location for updated version of Exchange Instant Messenger
     with the corrected control:


   Microsoft also suggests that the following Microsoft mail products:
   Outlook 98 and Outlook 2000 with the Outlook Email Security Update,
   Outlook 2002, and Outlook Express will block the exploitation of this
   vulnerability via email because these products will open HTML email in
   the Restricted Sites zone.

   Other mitigation strategies include opening web pages and email
   messages in the Restricted Sites zone and using email clients that
   permit users to view messages in plain-text. Likewise, it is important
   for users to realize that a signed control only authenticates the
   origin of the control and does not imply any information with regard
   to the security of the control. Therefore, downloading and installing
   signed controls through an automated process is not a secure choice.

Appendix A. - Vendor Information

   This appendix contains information provided by vendors for this
   advisory. As vendors report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular vendor is not listed below, please check the Vulnerability
   Note (VU#713779) or contact your vendor directly.




   The CERT/CC acknowledges the eEye Team for discovering and reporting
   on this vulnerability and thanks Microsoft for their technical

   Feedback can be directed to the author: Jason A. Rafail

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If you prefer to use DES, please call the CERT hotline for more

Getting security information

   CERT publications and other security information are available from
   our web site

   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2002 Carnegie Mellon University.

   Revision History
May 10, 2002: Initial release

Version: PGP 6.5.8


Relevant Pages

  • Re: Asp.Net AJAX dynamically added Tab Control not displaying
    ... TabPanel assumes there's no active tab and it hides all the tabs at client ... protected void Page_PreRender ... Microsoft is providing this information as a convenience to you. ... does not control these sites and has not tested any software or information ...
  • CERT Advisory CA-2002-13 Buffer Overflow in Microsofts MSN Chat ActiveX
    ... control that may permit a remote attacker to execute arbitrary code on ... ActiveX control that may permit a remote attacker to execute arbitrary ... Since the control is signed by Microsoft, ... The Microsoft MSN Chat control is also ...
  • Re: Remote Web Workplace and IE7 ActiveX error
    ... Look for 'Microsoft Terminal Services Client Control ' and make ... Internet zone to Medium and Trusted Sites to Low. ... Remote Desktop ActiveX Control. ...
  • Re: Need quick way change old field name to new one everywhere ?
    ... Dave Hargis, Microsoft Access MVP ... Ability to specify the objects to search in ... No install and un-install facility. ... Names of fields, controls (control: ...
  • Re: Popups and Permissions....
    ... Add/Remove Programs entry in the Control Panel. ... I couldn't find any information on these dll files on the web, ... csrss.exe 600 Client Server Runtime Process Microsoft Corporation ... lsass.exe 680 LSA Shell Microsoft Corporation ...