Core Security Technologies Announces Vulnerability in Microsoft’s MSN Messenger

"Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, today published a vulnerability in Microsoft’s MSN Messenger, an instant messaging program currently used by over 130 million people worldwide. Core researchers discovered that by selecting a specially-crafted graphic as the user’s display picture in MSN Messenger, an attacker could trigger a buffer overflow vulnerability on the chat partner’s computer and surreptitiously take over machines running instant messaging software. The attack would travel through the established chat session and would pass unnoticed by firewalls, network intrusion detection systems and even host-based personal firewalls and antivirus software. According to the vendor, Windows Messenger and Windows Media Player are also affected by this vulnerability.

Microsoft estimates the number of MSN Messenger users to be around 130 million worldwide (http://www.microsoft.com/presspass/press/2004/jul04/07-08FlirtingPR.asp). Systems running vulnerable MSN Messenger clients on Windows XP with Service Pack 2 installed are also exploitable. The vulnerability is exploitable in MSN Messenger client software up to version 6 including binary files compiled with the Visual Studio GS stack overflow protection mechanism. MSN Messenger 7 (beta) clients are not vulnerable. Exploitation of the vulnerability can be carried out though the same communications channel used by legitimate users for normal chat sessions, therefore it is very difficult to differentiate attacks from normal traffic. A similar vulnerability in the open source libPNG image-processing library was discovered by Chris Evans and fixed in August 2004. "