, Newsbytes 2002-05-09
A security flaw in Microsoft's instant messaging services could enable remote attackers to take control of users' computers, the company warned today.
Microsoft has rated the vulnerability "critical" on client systems and advised customers using MSN Messenger and Exchange Instant Messenger to immediately upgrade to a new version released today.Customers who use Microsoft's multi-user, Web-based MSN Chat service are also advised by the company to download a new version of the program.
According to Eeye Digital Security, which reported the flaw to Microsoft, an ActiveX control used by the services contains a buffer-overflow vulnerability that can be exploited through a malicious e-mail message, Web page, "or through any other method where Internet Explorer is used to display HTML that an attacker supplies."
In an advisory today, Eeye warned that the flaw in the "MSN Chat OCX control" enables an attacker to "supply and execute code on any machine on which MSN Messenger with the ActiveX is installed."
As a result, even non-active Messenger users, or those who access the service using a third-party product such as Trillian, should upgrade to the new MSN Chat control.
"The attack doesn't happen through the chat client, so as long as you have MSN Messenger installed, if I send you a special URL, I can own you," said Marc Maiffret, Eeye's "chief hacking officer."
Eeye is not currently aware of any tools "in the wild" that target the vulnerability, but Maiffret said the flaw is "easy to exploit, so people will soon have them."
The MSN Chat control vulnerability, as well as a similar flaw in an ActiveX control used by Macromedia's Flash software, was discovered by Drew Copley, a quality assurance expert with Eeye.
After upgrading to the new version of MSN Messenger, the version number of the software should read "4.6.0079," Microsoft said. For customers using the Web-based MSN Chat control, the patched version number is version 2.3.204.3001
Microsoft's bulletin on the MSN Chat control bug is at http://www.microsoft.com/technet/security/bulletin/MS02-022.asp .
Eeye's advisory on the flaw is at http://www.eeye.com/html/Research/Advisories/AD20020508.html .
Reported by Newsbytes, http://www.newsbytes.com .