Alert: Microsoft Security Bulletin - MS02-022

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 05/09/02

Date:         Wed, 8 May 2002 18:55:38 -0400
From: Russ <Russ.Cooper@RC.ON.CA>

Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661)

Originally posted: May 8, 2002


Who should read this bulletin: All customers using the Microsoft® MSN Chat control, which is available for direct download and ships with MSN Messenger and Exchange Instant Messenger.

Impact of vulnerability: Run Code of Attacker's Choice

Maximum Severity Rating: Critical

Recommendation: Customers using MSN Chat should upgrade by visiting an MSN Chat site and downloading the new control. Customers using MSN Messenger and Exchange Instant Messenger should upgrade to the latest version.

Affected Software:
- Microsoft MSN Chat Control
- Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control
- Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN Chat control

Technical description:

The MSN Chat control is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. The control is offered for download as a single ActiveX control from a number of MSN sites. In addition, it is included with MSN Messenger since version 4.5 and Exchange Instant Messenger. While the MSN Chat control is included with these products it is not used to provide Instant Messaging functionality, but rather to add chat functionality to those products.

An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context.

It would be possible for an attacker to attempt to exploit this vulnerability either through a malicious web site or through HTML email. However, Outlook Express 6.0 and the Outlook Email Security Update, which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such attempts through their default security settings.

Mitigating factors:
- A successful attack would require that the user have installed the MSN Chat control, MSN Messenger, or Exchange Instant Messenger.
- The MSN Chat control does not install with any version of Windows or Internet Explorer by default.
- Windows Messenger which ships with Windows XP does not include the MSN Chat control. Windows XP users would be vulnerable only if they have chosen to install the MSN Chat control from MSN sites.
- The HTML email attack vector is blocked by the following Microsoft mail products: Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002, and Outlook Express. This is because these products all open HTML email in the Restricted Sites zone by default.

Vulnerability identifier: CAN-2002-0155

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor