Microsoft Corp.s two instant messaging clients are vulnerable to a buffer overrun attack that enables an attacker to execute arbitrary code on affected machines.
Microsoft, of Redmond, Wash., has released a patch for the problem, located at www.microsoft.com/technet/security/bulletin/ms02-022.asp.
MSN Messenger 4.5 and 4.6 and Exchange Instant Messenger 4.5 and 4.6 are all vulnerable to the attack, although the version of Windows Messenger that ships with Windows XP is not.
The problem lies in the MSN Chat control, which is an ActiveX control that ships with all three clients and is also available for download from several MSN sites. There is an unchecked buffer in one of the components that handles input parameters in the MSN Chat control, and an attacker could use this to launch a buffer overrun attack and run code in the context of the user.
In order to exploit the vulnerability, an attacker would either need to entice the user to open an HTML e-mail or visit a Web site containing the malicious code.
The Microsoft vulnerabilities come several days after a group of security researchers released an advisory warning of a flaw in America Onlines AOL Instant Messenger.
AIM has a major security vulnerability in all stable versions dating back to 4.2, according to an advisory released Monday by w00w00 Security Development.
The flaw is a buffer overrun in the code that handles requests to run an external application. This vulnerability will allow remote penetration of the victims system without any indication as to who performed the attack. There is no opportunity to refuse the request. The flaw doesnt affect the non-Windows versions of AIM because they dont yet support the feature that this vulnerability occurs in.
AOL has applied a fix for the vulnerability on its servers, w00w00 said.
W00w00 several months ago discovered a similar vulnerability in AIM that affected the game-playing feature.
- New Way to Nab Hackers
- Network Defenses Cant Foil Viruses
- Living with Worms, Viruses and Daily Security