Vulnerability puts users at risk of arbitrary code execution
vnunet.com, 29 Aug 2007
A newly reported vulnerability could put the security of MSN Messenger users at risk.
The flaw lies in MSN Messenger's video chat component and could allow an attacker to remotely execute code on a user's system. The vulnerability does not affect the latest version of the application, now known as Windows Live Messenger 8.1.
An attacker could exploit the flaw by injecting specially-crafted code into a video chat invitation.
On accepting the invitation, the user would experience a buffer overflow, which could in turn cause an application crash and allow the attacker to execute malicious code.
Discovery of the vulnerability is credited to a researcher known as 'Wushi'.
Security firm Secunia rated the vulnerability as 'highly critical', the second highest of its five alert levels.
A Microsoft spokesperson said that the company is investigating the flaw. Microsoft and Secunia recommend that users upgrade to Windows Live Messenger 8.1.
Secunia also recommended that users who have not upgraded should avoid unsolicited video chat invites.
A similar flaw was reported two weeks ago in Yahoo Messenger which could allow an attacker to execute malicious code through a specially crafted chat invite.
Remote access - Three steps to getting connected
3.4 million UK professionals now work from home – is your company equipped?
Cost benefits of a global collaboration network
This white paper is a must read for organisations looking for evidence of the bottom-line benefits of high-definition video and voice communications
Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.
We chat to Mike Maddison, UK head of Security, Privacy...
Update designed to give mobile users a richer, more personalised...
More thoughts on how servers can help manage overload
Do you agree?
Have your say on this article