MSN Instant Messenger Vulnerability        [ PDF ]
By Seyha Phul

Instant messaging is a great way for friends and family to communicate in real-time over the internet. It's also a great way for malicious hackers to get control of your computer system, thanks to a vulnerability found in the MSN Chat control.

Microsoft's instant messaging services has a critical vulnerability that can easily be exploited through an e-mail, webpage, or through any other means by which an attacker is able to supply HTML to an Internet Explorer client.

The vulnerability was discovered by Drew Copley, a quality assurance professional at Eeye. Through further investigation, it became apparent that the control contains a buffer-overflow vulnerability. According to Marc Maiffret, Eeye's chief hacking officer, "The attack doesn't happen through the chat client, as long as you have MSN Messenger installed. If I send you a special URL, I can own you."

Fear not this vulnerability. You now have everything you need to protect yourself: knowledge. Now that you know, you can begin to solve the problem. First, ask yourself if this service is necessary. If not, simply remove it from all machines. If it is necessary, you can upgrade to the new version of MSN Messenger. You can get more information and the necessary upgrade patch from Microsoft's security bulletin. After upgrading, the version number of the software should be "4.6.0079". If you are using the Web-based MSN Chat control, the version number should be "2.3.204.3001."