|
The problem stems from a flaw in an ActiveX control, called MSN Chat, which is included with MSN Messenger since version 4.5 and Exchange Instant Messenger, writes John Leyden.
MSN Chat allows groups of users to gather in a single, virtual location on-line to engage in text messaging.
Researchers at eEye Digital Security have discovered that an unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. Because of this, users enticed to open a maliciously crafted HTML mail or visit a maliciously constructed Web site could potentially fall victim to an attack.
In mitigation, Microsoft says that Outlook Express 6.0 and the Outlook E-mail Security Update and can thwart such attacks through their default security settings. It also points out that the version of Windows Messenger which ships with Windows XP does not include the MSN Chat control.
This still leaves a vast number of people vulnerable (Outlook E-mail Security Update take-up is worryingly low) so it is not without good reason that Microsoft defines the update as "critical." The vulnerability is ripe for exploitation and of a type that means it is likely to hang around for some time before people wake up to the problem.
Buffer overflows are a common class of security vulnerability, associated with sloppy programming, which allow arbitrary and potentially malicious code to be injected into a system through a carefully crafted, malformed data entry.
Generally, this spurious input is much longer than a program expects, causing code to overflow the buffer, crash a process and enter parts of a system where it may be subsequently executed.
More information and patch for the vulnerability can be found on the Microsoft Web site.
The Register and its contents are copyright 2002 Situation Publishing. Reprinted with permission.
|
