Windows Live Messenger stumbles over prepared contact lists
At first glance, it looked like a critical hole in the Windows Live Messenger 8.0, but it turns out to be just a way of making the application crash. At least that's the way Michele Cicciotti saw it in a reply to the Full Disclosure security mailing list, which published an advisory on a critical hole in Live Messenger.
It now seems that a heap overflow - which allows code to be injected and executed - is not the problem, but rather an unhandled exception that occurs when prepared contact lists (*.ctt) are read in. No memory is overwritten as a result; instead, the application only outputs an exception that leads to a crash.
The original indication of the error in Messenger 8.0 was quite brief to begin with and only linked to a proof-of-concept exploit entitled "Messenger 8.0 Heap Overflow". While the exploit only causes a crash, security database Securitytracker nevertheless maintains that the problem can be used for remote code execution. In contrast, Securityfocus agrees with Michele Cicciotti that the only result is that Live Messenger crashes.
Although the flaw can only be used for DoS attacks, it is a nuisance nonetheless. No patch has yet been provided. Users should for now only import trustworthy contact lists.
- Windows Live Messenger 8.0 ( Contact List *.ctt ) Heap Overflow, notification of the exploit at securitydot
- Analysis of the exploit by Michele Cicciotti
- Windows Live Messenger Contact List Heap Overflow, flaw description at Securitytracker
- Microsoft Windows Live Messenger Contact List Processing Remote Denial of Service Vulnerability, flaw description at Securityfocus