Alert: Microsoft Security Bulletin - MS02-022

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 05/09/02


Date:         Wed, 8 May 2002 18:55:38 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

http://www.microsoft.com/technet/security/bulletin/MS02-022.asp

Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661)

Originally posted: May 8, 2002

Summary

Who should read this bulletin: All customers using the Microsoft® MSN Chat control, which is available for direct download and ships with MSN Messenger and Exchange Instant Messenger.

Impact of vulnerability: Run Code of Attacker's Choice

Maximum Severity Rating: Critical

Recommendation: Customers using MSN Chat should upgrade by visiting an MSN Chat site and downloading the new control. Customers using MSN Messenger and Exchange Instant Messenger should upgrade to the latest version.

Affected Software:
- Microsoft MSN Chat Control
- Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control
- Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN Chat control

Technical description:

The MSN Chat control is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. The control is offered for download as a single ActiveX control from a number of MSN sites. In addition, it is included with MSN Messenger since version 4.5 and Exchange Instant Messenger. While the MSN Chat control is included with these products it is not used to provide Instant Messaging functionality, but rather to add chat functionality to those products.

An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context.

It would be possible for an attacker to attempt to exploit this vulnerability either through a malicious web site or through HTML email. However, Outlook Express 6.0 and the Outlook Email Security Update, which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such attempts through their default security settings.

Mitigating factors:
- A successful attack would require that the user have installed the MSN Chat control, MSN Messenger, or Exchange Instant Messenger.
- The MSN Chat control does not install with any version of Windows or Internet Explorer by default.
- Windows Messenger which ships with Windows XP does not include the MSN Chat control. Windows XP users would be vulnerable only if they have chosen to install the MSN Chat control from MSN sites.
- The HTML email attack vector is blocked by the following Microsoft mail products: Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002, and Outlook Express. This is because these products all open HTML email in the Restricted Sites zone by default.

Vulnerability identifier: CAN-2002-0155

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor



Relevant Pages

  • [NT] Unchecked Buffer in MSN Chat Control Can Lead to Code Execution
    ... The MSN Chat control is an ActiveX control that allows groups of users to ... version 4.5 and Exchange Instant Messenger. ... vulnerability either through a malicious web site or through HTML email. ... chosen to install the MSN Chat control from MSN sites. ...
    (Securiteam)
  • Microsoft Security Bulletin MS02-022 v2.0
    ... Unchecked Buffer in MSN Chat Control Can Lead to Code ... version of Exchange Instant Messenger have been made available. ... A security vulnerability results because ... However, Outlook Express 6.0 and the Outlook Email Security Update, ...
    (microsoft.public.security)
  • Microsoft Security Bulletin MS02-022
    ... Unchecked Buffer in MSN Chat Control Can Lead to Code ... MSN Chat, MSN Messenger, Exchange Instant Messenger ... Microsoft encourages customers to review the Security Bulletin at: ... However, Outlook Express 6.0 and the Outlook Email Security Update, ...
    (microsoft.public.security)
  • Alert: Microsoft Security Bulletin - MS02-041
    ... All customers using the Microsoft® MSN Chat control, which is available for direct download and ships with MSN Messenger and Exchange Instant Messenger. ... Customers who did not install the updates when they were originally released should install the upgraded updates immediately; customers who installed the original updates should consider installing the upgraded updates. ... The MSN Chat control does not install with any version of Windows or Internet Explorer by default. ...
    (NT-Bugtraq)
  • Re: Microsoft Security Bulletin MS02-022
    ... Unchecked Buffer in MSN Chat Control Can Lead to Code ... > Microsoft encourages customers to review the Security Bulletin at: ... > and Exchange Instant Messenger. ... A security vulnerability results ...
    (microsoft.public.security)