Version(s): MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6; Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6; other versions may be affected

Description: An information disclosure vulnerability was reported in Microsoft's Messenger instant messaging client. A remote user can create a web page or HTML-based e-mail message that will cause the recipient's Messenger display name and contacts to be disclosed.

It is reported that a remote user can create javascript that will cause MSN Messenger or Windows Messenger to disclose personal information. The user's display name and display names of the user's contacts may be disclosed. If the user has not set a display name, the user's e-mail address may be disclosed.

It is reported that certain Microsoft web sites can also obtain the user's name and e-mail address. In addition, sites (or domain suffixes) listed in the registry can also obtain the user's name and e-mail addresses, according to the report. The list of domain suffixes that have full access to Messenger functionality is reportedly located in the registry in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" with values "Suffix0", "Suffix1", etc.

It is reported that the only way for a user to prevent sites from obtaining access to the user's personal information is by logging out of Messenger before visiting the web site.

A demonstration exploit page is available at:

http://raburton.members.easyspace.com/msn/

Impact: A remote user can obtain another user's display name and contacts via malicious javascript that must be loaded by the target user, either via a web page or via HTML-based e-mail.

Solution: No solution was available at the time of this entry.

The author of the report has provided the following recommendations:

- Set a display name so your email address isn't obtainable so easily.
- Check for entries in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" regularly, especially after installing freeware or shareware.
- If you want to visit microsoft.com and remain anonymous, close MSN Messenger.