Danger for users of MSN Messenger
After a 0-day bug in Yahoo Messenger two weeks ago, this time the target is Microsoft's MSN Messenger. According to security service provider Secunia a malformed video data stream can trigger a buffer overflow in Microsoft’s Messenger which leads to the execution of injected arbitrary code. To exploit this vulnerability, the potential victim must accept an invitation to participate in a webcam session.
A demo program that exploits this bug has been made available on a chinese web site. Secunia rates this issue as "highly critical" and warns that it affects versions 6.x and 7.x of MSN Messenger. So far, there is neither a confirmation nor an update from Microsoft. Users of the software are advised to update quickly to the current version 8.1 of the program, which has been renamed Windows Live Messenger. If they use older versions, users should not accept any invitations to webcam sessions.
- MSN messenger 7.x (8.0?)VIDEO remote heap overflow, posting on team509.com (chinese)
- MSN Messenger Video Conversation Buffer Overflow Vulnerability, security advisory by Secunia
- [ticker:uk_94836 Update for Yahoo Messenger], heise Security news of August 24, 2007
(mba)