MSN Messenger flaw allows hard-drive access

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1002_3-5171898.html

By Michael Kanellos 
Staff Writer, CNET News.com
March 9, 2004

Microsoft has revealed three new vulnerabilities in its software,
including the first to affect MSN Messenger 6.0, and is urging
customers to patch their systems now.

Two of the vulnerabilities are considered medium-level risks, while
the third presents a medium- to low-level risk, according to security
software specialist Symantec and others. Three separate patches to
repair the flaws--which affect different pieces of software--have been
released and are available for download. The identification of the
vulnerabilities came Wednesday as part of Microsoft's regular security
bulletin process.

Later, the software giant will also send notices about the Messenger
patch through MSN Messenger itself, said Stephen Toulouse, security
program manager for the Microsoft Security Response Center.

The vulnerability in MSN Messenger versions 6.0 and 6.1 could let an
attacker view the contents of a victim's hard drive during a chat
session with the victim.

Attackers "could view files through MSN Messenger on their computer,"  
Toulouse said. "They can do it, and you are not necessarily aware of
what they are doing."

Users who do not block anonymous callers are most vulnerable to the
exploit. If anonymous callers are blocked, the attacker has to be
identified on the victim's address list. To obtain particular
information, such as credit card numbers, attackers have to troll the
hard drive, said Toulouse.

Oliver Friedrichs, senior manager for Symantec's security response
team, said that victims don't actually have to be in conversation with
the attacker. As long as the user permits anonymous callers to send
messages, an attacker could come in and peruse Quicken files or other
identifiable files that could likely contain sensitive data. However,
most people block that function, so random attacks will likely be
rare, he said.

The second medium-level risk could allow a hacker to take over a
system by executing Internet Explorer code through a flaw in Outlook
2002.

A computer has to be configured in a particular manner, though, said
Toulouse. The user has to set "Outlook Today" as the Outlook home
page.

"If you go to Outlook through your in-box, you are protected," he
said.

The third flaw allows attackers to instigate a denial-of-service
attack against servers running Windows Media Services 4.1. The
vulnerability exists because of the way Windows Media Station Service
and Windows Media Monitor Service, components of Windows Media
Services, handle TCP/IP connections. If an attacker sent a particular
sequence of packets to a server running Media Services 4.1, it could
interrupt any video streams.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.