Follow:

Exploit:Win/IE.MSN.RCE!CAN-2002-0155

Severity rating
Critical

Class/Type
Vulnerability

Discovered date
2009-07-29T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

The MSN Chat control is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. The control is offered for download as a single ActiveX control from a number of MSN sites. In addition, it is included with MSN Messenger since version 4.5 and Exchange Instant Messenger. While the MSN Chat control is included with these products it is not used to provide Instant Messaging functionality, but rather to add chat functionality to those products. An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context. It would be possible for an attacker to attempt to exploit this vulnerability either through a malicious web site or through HTML email. However, Outlook Express 6.0 and the Outlook Email Security Update, which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such attempts through their default security settings.



Impact

An attacker who exploited this vulnerability successfully could run a program on a system that had the control installed. Since the MSN Chat control runs in the security context of the user, the program would be able to take any actions that the legitimate user was capable of taking, including adding or deleting data or configuration information. On the other hand, this also means that any limitations placed on the user's account would apply to the attacker's code as well. For example, if an enterprise administrator had implemented policies such that the user could not change their IE security setting, the attacker's code would also be prevented from changing those settings.



Technical details (analysis)

The MSN Chat control is an ActiveX control that is used on a variety of MSN sites, including the MSN Chat site. In essence, the control is a self-contained chat programThe vulnerability results because of an unchecked buffer in the code that handles the input of a parameter in the MSN Chat control. By invoking this parameter in a particular manner, an attacker could overflow the buffer and gain the ability to run code in the user's security context.



Affected software

Microsoft MSN Chat Control
Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control
Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN Chat control



Non-affected software

All applications not on the affected list.



References




Solutions




NIS signature

Name: Exploit:Win/IE.MSN.RCE!CAN-2002-0155
Release Date: 2009-07-29T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

Users can download an updated version of the MSN Chat control from the MSN Chat sites, Users can install an updated version of MSN Messenger, Users can install an updated version of Exchange Instant Messenger