Alert: Microsoft Security Bulletin MS04-010 - Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 03/10/04

Next message: Albers, Lucas: "iDEFENSE Security Advisory 02.27.04a: WinZip MIME Parsing Buf fer Overflow Vulnerability"

Previous message: Russ: "Alert: Microsoft Security Bulletin MS04-009 - Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 9 Mar 2004 20:08:57 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Microsoft Security Bulletin MS04-010:
Vulnerability in MSN Messenger Could Allow Information Disclosure
(838512)

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS04-010.mspx

Summary:
Version Number: V1.0
Revision Date: 03-09-2004
Impact of Vulnerability: Information Disclosure
Maximum Severity Rating: Moderate
Patch(es) Replaced: None
Caveats: None
CVE Number(s): CAN-2004-0122

Tested Software:
Affected Software:
* Microsoft MSN Messenger 6.0
<http://www.ntbugtraq.com/link/MS04-010-0.asp>
* Microsoft MSN Messenger 6.1
<http://www.ntbugtraq.com/link/MS04-010-1.asp>

Software Not Affected:
* Windows Messenger (All versions)

Technical Description:

A security vulnerability exists in Microsoft MSN Messenger. The
vulnerability exists because of the method used by MSN Messenger to
handle a file request. An attacker could exploit this vulnerability by
sending a specially crafted request to a user running MSN Messenger. If
exploited successfully, the attacker could view the contents of a file
on the hard drive without the user's knowledge as long as the attacker
knew the location of the file and the user had read access to the file.
To exploit this vulnerability, an attacker would have to know the
sign-on name of the MSN Messenger user in order to send the request.

This email is sent to NTBugtraq automagically as a service to my
subscribers. (v3)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----

Next message: Albers, Lucas: "iDEFENSE Security Advisory 02.27.04a: WinZip MIME Parsing Buf fer Overflow Vulnerability"

Previous message: Russ: "Alert: Microsoft Security Bulletin MS04-009 - Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability
... MSN Messenger PNG Image Parsing Vulnerability ... MSN Messenger client program. ...
(NT-Bugtraq)
CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability
... MSN Messenger PNG Image Parsing Vulnerability ... MSN Messenger client program. ...
(Bugtraq)
[VulnWatch] CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability
... MSN Messenger PNG Image Parsing Vulnerability ... MSN Messenger client program. ...
(VulnWatch)
[NT] Vulnerability in MSN Messenger and Windows Live Messenger Allows Code Execution (MS07-054)
... Vulnerability in MSN Messenger and Windows Live Messenger Allows Code ... webcam or video chat invitation from an attacker. ...
(Securiteam)
[NT] Vulnerability in MSN Messenger Allows Information Disclosure (MS04-010)
... Get your security news from a reliable source. ... A security vulnerability exists in Microsoft MSN Messenger. ... the attacker could view the contents of a file on the hard ...
(Securiteam)