In association with heise online

28 June 2006, 15:34

Windows Live Messenger stumbles over prepared contact lists

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

At first glance, it looked like a critical hole in the Windows Live Messenger 8.0, but it turns out to be just a way of making the application crash. At least that's the way Michele Cicciotti saw it in a reply to the Full Disclosure security mailing list, which published an advisory on a critical hole in Live Messenger.

It now seems that a heap overflow - which allows code to be injected and executed - is not the problem, but rather an unhandled exception that occurs when prepared contact lists (*.ctt) are read in. No memory is overwritten as a result; instead, the application only outputs an exception that leads to a crash.

The original indication of the error in Messenger 8.0 was quite brief to begin with and only linked to a proof-of-concept exploit entitled "Messenger 8.0 Heap Overflow". While the exploit only causes a crash, security database Securitytracker nevertheless maintains that the problem can be used for remote code execution. In contrast, Securityfocus agrees with Michele Cicciotti that the only result is that Live Messenger crashes.

Although the flaw can only be used for DoS attacks, it is a nuisance nonetheless. No patch has yet been provided. Users should for now only import trustworthy contact lists.

Also see:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit