MSN Messenger Remote Vulnerability...

[s0nIc]

Version(s): MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6; Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6; other versions may be affected

Description: An information disclosure vulnerability was reported in Microsoft's Messenger instant messaging client. A remote user can create a web page or HTML-based e-mail message that will cause the recipient's Messenger display name and contacts to be disclosed.

It is reported that a remote user can create javascript that will cause MSN Messenger or Windows Messenger to disclose personal information. The user's display name and display names of the user's contacts may be disclosed. If the user has not set a display name, the user's e-mail address may be disclosed.

It is reported that certain Microsoft web sites can also obtain the user's name and e-mail address. In addition, sites (or domain suffixes) listed in the registry can also obtain the user's name and e-mail addresses, according to the report. The list of domain suffixes that have full access to Messenger functionality is reportedly located in the registry in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" with values "Suffix0", "Suffix1", etc.

It is reported that the only way for a user to prevent sites from obtaining access to the user's personal information is by logging out of Messenger before visiting the web site.

A demonstration exploit page is available at:

http://raburton.members.easyspace.com/msn/

Impact: A remote user can obtain another user's display name and contacts via malicious javascript that must be loaded by the target user, either via a web page or via HTML-based e-mail.

Solution: No solution was available at the time of this entry.

The author of the report has provided the following recommendations:

- Set a display name so your email address isn't obtainable so easily.
- Check for entries in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" regularly, especially after installing freeware or shareware.
- If you want to visit microsoft.com and remain anonymous, close MSN Messenger.

[ac1dsp3ctrum]

Another M$ explot... Im not surprised

[freeOn]

Yippee another cool trick to play on soccer mom's!

[gold eagle]

It would seem prudent to not use msn messenger or at the very least - log out as you say, sOnIc, before moving to other sites.

This msoft insecurity will be the end of the company some day.

[the_g_nee]

Sonic, your a one man walking vulnerability finder!

[dieterle81]

the link doesn't work but the rest is pretty interesting

[jodosha]

Originally posted by dieterle81
the link doesn't work but the rest is pretty interesting

It's strange, now I have tested it and work ...

Anyway for details http://securityfocus.com/archive/1/254021

Have funny.

[jethro]

I don't know if this is really a security exploit, I mean, does anyone really care if somebody knows thier MSN Messenger login name. Unless you are one of those paranoid people gone insane with all the "spyware"

[Highlander]

Well my XP is toast but my iMac does not show the problem with MS Messenger
It all goes back to one company owns the OS and the App.
And it does not supprise me either....

[the_JinX]

didn't I allredy post this??

http://www.antionline.com/showthread...&postid=448575

well.. ok.. the thread got lost way to soon...