February 9th, 2002, 12:19 AM
MSN Messenger Remote Vulnerability...
Version(s): MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6; Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6; other versions may be affected
Description: An information disclosure vulnerability was reported in Microsoft's Messenger instant messaging client. A remote user can create a web page or HTML-based e-mail message that will cause the recipient's Messenger display name and contacts to be disclosed.
It is reported that certain Microsoft web sites can also obtain the user's name and e-mail address. In addition, sites (or domain suffixes) listed in the registry can also obtain the user's name and e-mail addresses, according to the report. The list of domain suffixes that have full access to Messenger functionality is reportedly located in the registry in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" with values "Suffix0", "Suffix1", etc.
It is reported that the only way for a user to prevent sites from obtaining access to the user's personal information is by logging out of Messenger before visiting the web site.
A demonstration exploit page is available at:
Solution: No solution was available at the time of this entry.
The author of the report has provided the following recommendations:
- Set a display name so your email address isn't obtainable so easily.
- Check for entries in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" regularly, especially after installing freeware or shareware.
- If you want to visit microsoft.com and remain anonymous, close MSN Messenger.