Alert: Microsoft Security Bulletin - MS02-041
From: Russ (Russ.Cooper@RC.ON.CA)Date: 06/24/02
- Previous message: Lucas, Mark J.: "VPN and Q318138"
- Next in thread: Russ: "Re: Alert: Microsoft Security Bulletin - MS02-041"
- Reply: Russ: "Re: Alert: Microsoft Security Bulletin - MS02-041"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jun 2002 12:11:18 -0400 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS02-041.asp
Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661)
Originally posted: May 08, 2002
Updated: June 11, 2002
Summary
Who should read this bulletin: All customers using the Microsoft® MSN Chat control, which is available for direct download and ships with MSN Messenger and Exchange Instant Messenger.
Impact of vulnerability: Run Code of Attacker's Choice
Maximum Severity Rating: Critical
Recommendation: Customers who did not install the updates when they were originally released should install the upgraded updates immediately; customers who installed the original updates should consider installing the upgraded updates.
Affected Software:
- Microsoft MSN Chat Control
- Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control
- Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN Chat control
Technical description:
On May 8 2002, Microsoft released the original version of this bulletin. On June 11, 2002 the bulletin was updated to announce that while the fixes issued on May 8 2002 resolved the vulnerability, they did not protect in all cases against the reintroduction of the vulnerable control. As a result, a new set of fixes is being released to ensure that systems are fully protected against the reintroduction of the vulnerable control. A new MSN Chat control, updated patch, updated version of MSN Messenger and an updated version of Exchange Instant Messenger have been made available. Customers who have applied any of the fixes released on May 8, 2002 are encouraged to consider applying the updated fixes.
The MSN Chat control is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. The control is offered for download as a single ActiveX control from a number of MSN sites. In addition, it is included with MSN Messenger since version 4.5 and Exchange Instant Messenger. While the MSN Chat control is included with these products it is not used to provide Instant Messaging functionality, but rather to add chat functionality to those products.
An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context.
It would be possible for an attacker to attempt to exploit this vulnerability either through a malicious web site or through HTML email. However, Outlook Express 6.0 and the Outlook Email Security Update, which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such attempts through their default security settings.
Mitigating factors:
- A successful attack would require that the user have installed the MSN Chat control, MSN Messenger, or Exchange Instant Messenger.
- The MSN Chat control does not install with any version of Windows or Internet Explorer by default.
- Windows Messenger which ships with Windows XP does not include the MSN Chat control. Windows XP users would be vulnerable only if they have chosen to install the MSN Chat control from MSN sites.
- The HTML email attack vector is blocked by the following Microsoft mail products: Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002, and Outlook Express. This is because these products all open HTML email in the Restricted Sites zone by default.
Vulnerability identifier: CAN-2002-0155
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Previous message: Lucas, Mark J.: "VPN and Q318138"
- Next in thread: Russ: "Re: Alert: Microsoft Security Bulletin - MS02-041"
- Reply: Russ: "Re: Alert: Microsoft Security Bulletin - MS02-041"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
