WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

MSN Chat Control buffer overflow allows remote code execution

Risk
High

Date Discovered
05-08-2002

Description
The Microsoft MSN Chat Control input paramenter handling functionality contains an unchecked buffer that can allow remote code execution.

The MSN Chat Control is an ActiveX control that adds real-time chat functionality to Microsoft's Messenger applications.

A buffer overflow condition exists in one of the functions in Chat Control that handles input. Due to a lack of proper parameter checking, a remote attacker may be able to exploit this buffer overflow to run arbitrary code on the targeted system with user-level privileges.

The following factors mitigate this vulnerability:

  • MSN Chat Control, MSN Messenger, or Microsoft Exchange Instant Messager must be installed on the system for the system to be affected by this vulnerability.
  • Neither Windows nor Internet Explorer contain MSN Chat Control by default. It must be downloaded and installed on a user's system.
  • MSN Messenger does come with Windows XP; however, users would only be vulnerable if they choose to install the MSN Chat Control, which does not ship by default.
  • Exploiting this vulnerability through an HTML email attack is effectively blocked by Outlook 98 and Outlook 2000 with the Outlook Express Security Update applied, Outlook 2002, and Outlook Express 6.0. These products all open HTML email in the Restricted Sites zone, which does not allow scripting of ActiveX controls.

Platforms Affected
Windows

Components Affected
Microsoft MSN Chat Control
Microsoft MSN Instant Messenger Service 4.5 and 4.6
Microsoft Exchange Instant Messenger 4.5 and 4.6

Recommendations
MSN Chat Control Upgrade

Download the latest version of MSN Chat Control.

MSN Instant Messenger update

Download the latest version of MSN Instant Messenger.

Microsoft Exchange Instant Messenger update

Download the latest version of Microsoft Exchange Instant Messenger.

MSN Chat Control Buffer Overflow Security Fix

This hotfix patches the buffer overflow vulnerability in the MSN Chat Control input pramenter functionality.

Best Practice - Regulate Employee use of public Instant Messaging Systems

Instant Messaging (IM) software, such as AOL Instant Messenger, Yahoo!, ICQ, and MSN Messenger, lets users communicate in real time via the Internet. Some IM applications have features that allow file transfers. Some are beginning to offer additional features such as voice chat and video. IM is quick, easy, and dangerous.

Like regular Internet email, Instant Messages generally travel over the Internet in clear text format. Nothing is encrypted. When a message is sent, an Internet eavesdropper can capture it. If the intended recipient is not online, IM services can save the message on a central server for delivery when the recipient logs on again. Sensitive information that is shared via IM is completely open to outside eavesdropping.

If IM is to be used in the company, choose an IM that offers security (such as 128-bit encryption) to protect sensitive information.

References
Source: Microsoft TechNet
URL: http://www.microsoft.com/technet/security/bulletin/MS02-022.asp

Source: CVE Candidate CAN-2002-0155
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0155

Source: eEye Digital Security Advisory AD20020508
URL: http://www.eeye.com/html/Research/Advisories/AD20020508.html

Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation