Results 1 to 10 of 10

Thread: MSN Messenger Remote Vulnerability...

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation MSN Messenger Remote Vulnerability...

    Version(s): MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6; Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6; other versions may be affected

    Description: An information disclosure vulnerability was reported in Microsoft's Messenger instant messaging client. A remote user can create a web page or HTML-based e-mail message that will cause the recipient's Messenger display name and contacts to be disclosed.

    It is reported that a remote user can create javascript that will cause MSN Messenger or Windows Messenger to disclose personal information. The user's display name and display names of the user's contacts may be disclosed. If the user has not set a display name, the user's e-mail address may be disclosed.

    It is reported that certain Microsoft web sites can also obtain the user's name and e-mail address. In addition, sites (or domain suffixes) listed in the registry can also obtain the user's name and e-mail addresses, according to the report. The list of domain suffixes that have full access to Messenger functionality is reportedly located in the registry in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" with values "Suffix0", "Suffix1", etc.

    It is reported that the only way for a user to prevent sites from obtaining access to the user's personal information is by logging out of Messenger before visiting the web site.

    A demonstration exploit page is available at:

    http://raburton.members.easyspace.com/msn/

    Impact: A remote user can obtain another user's display name and contacts via malicious javascript that must be loaded by the target user, either via a web page or via HTML-based e-mail.

    Solution: No solution was available at the time of this entry.

    The author of the report has provided the following recommendations:

    - Set a display name so your email address isn't obtainable so easily.
    - Check for entries in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" regularly, especially after installing freeware or shareware.
    - If you want to visit microsoft.com and remain anonymous, close MSN Messenger.

  2. #2
    Banned
    Join Date
    Oct 2001
    Posts
    1,459
    Another M$ explot... Im not surprised

  3. #3
    Yippee another cool trick to play on soccer mom's!

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    It would seem prudent to not use msn messenger or at the very least - log out as you say, sOnIc, before moving to other sites.

    This msoft insecurity will be the end of the company some day.
    Trappedagainbyperfectlogic.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    206
    Sonic, your a one man walking vulnerability finder!




  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    119
    the link doesn't work but the rest is pretty interesting
    the only thing that doesn\'t change is everything will always change.

  7. #7
    Originally posted by dieterle81
    the link doesn't work but the rest is pretty interesting
    It's strange, now I have tested it and work ...

    Anyway for details http://securityfocus.com/archive/1/254021

    Have funny.
    What is essential is invisible
    to the eye ...
    ]ØÐÖ§|-|Å

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734
    I don't know if this is really a security exploit, I mean, does anyone really care if somebody knows thier MSN Messenger login name. Unless you are one of those paranoid people gone insane with all the "spyware"

  9. #9
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    Well my XP is toast but my iMac does not show the problem with MS Messenger
    It all goes back to one company owns the OS and the App.
    And it does not supprise me either....
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  10. #10
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    didn't I allredy post this??

    http://www.antionline.com/showthread...&postid=448575

    well.. ok.. the thread got lost way to soon...
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •