-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX Control Original release date: May 10, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Microsoft Windows systems with one or more of the following: * Microsoft MSN Chat control * Microsoft MSN Messenger 4.6 and prior * Microsoft Exchange Instant Messenger 4.6 and prior Overview Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an instant messenging client. A buffer overflow exists in the ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. I. Description A buffer overflow exists in the "ResDLL" parameter of the MSN Chat ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects MSN Messenger and Exchange Instant Messenger users. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. The Microsoft MSN Chat control is also available for direct download from the web. The <object> tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened. According to the Microsoft Advisory (MS02-022): It's important to note that this control is used for chat rooms on several MSN sites in addition to the main MSN Chat site. If you have successfully used chat on any MSN-site, you have downloaded and installed the chat control. The CERT/CC has published information on ActiveX in Results of the Security in ActiveX Workshop (pdf) and CA-2000-07. This issue is also being referenced as CAN-2002-0155: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0155 II. Impact A remote attacker may be able to execute arbitrary code with the privileges of the current user. III. Solution Apply a patch from your vendor Microsoft has released a patch, a fixed MSN Chat control, and upgrades to address this issue. It is important that all users apply the patch since it will prevent the installation of the vulnerable control on systems that have not already installed it. Download location for the patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38790 Download location for updated version of MSN Messenger with the corrected control: http://messenger.msn.com/download/download.asp?client=1&update=1 Download location for updated version of Exchange Instant Messenger with the corrected control: http://www.microsoft.com/Exchange/downloads/2000/IMclient.asp Microsoft also suggests that the following Microsoft mail products: Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002, and Outlook Express will block the exploitation of this vulnerability via email because these products will open HTML email in the Restricted Sites zone. Other mitigation strategies include opening web pages and email messages in the Restricted Sites zone and using email clients that permit users to view messages in plain-text. Likewise, it is important for users to realize that a signed control only authenticates the origin of the control and does not imply any information with regard to the security of the control. Therefore, downloading and installing signed controls through an automated process is not a secure choice. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, please check the Vulnerability Note (VU#713779) or contact your vendor directly. Microsoft See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ MS02-022.asp _________________________________________________________________ The CERT/CC acknowledges the eEye Team for discovering and reporting on this vulnerability and thanks Microsoft for their technical assistance. _________________________________________________________________ Feedback can be directed to the author: Jason A. Rafail ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-13.html ______________________________________________________________________ CERT/CC Contact Information Email: firstname.lastname@example.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to email@example.com. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History May 10, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPNws56CVPMXQI2HJAQGUUQP/ZsyoPxzyttkDCaqvD8V7fu/dWWyUFPrk qYTu2CUfZtuGdmpZ91sR8jWn3BAgEiIiF5sIXMckqjApNDORkLdt1sIo5ddkX4qR k1JO0sAiNITtUAXwx3vsv36EYCtL+JaX5jmMrZffZvxjM1PzbmxGD7NVOvtGQtGB MUEDOZLJe44= =TqFl -----END PGP SIGNATURE-----
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.