Results 1 to 10 of 10

Thread: MSN Messenger Remote Vulnerability...

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001

    Exclamation MSN Messenger Remote Vulnerability...

    Version(s): MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6; Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6; other versions may be affected

    Description: An information disclosure vulnerability was reported in Microsoft's Messenger instant messaging client. A remote user can create a web page or HTML-based e-mail message that will cause the recipient's Messenger display name and contacts to be disclosed.

    It is reported that a remote user can create javascript that will cause MSN Messenger or Windows Messenger to disclose personal information. The user's display name and display names of the user's contacts may be disclosed. If the user has not set a display name, the user's e-mail address may be disclosed.

    It is reported that certain Microsoft web sites can also obtain the user's name and e-mail address. In addition, sites (or domain suffixes) listed in the registry can also obtain the user's name and e-mail addresses, according to the report. The list of domain suffixes that have full access to Messenger functionality is reportedly located in the registry in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" with values "Suffix0", "Suffix1", etc.

    It is reported that the only way for a user to prevent sites from obtaining access to the user's personal information is by logging out of Messenger before visiting the web site.

    A demonstration exploit page is available at:

    Impact: A remote user can obtain another user's display name and contacts via malicious javascript that must be loaded by the target user, either via a web page or via HTML-based e-mail.

    Solution: No solution was available at the time of this entry.

    The author of the report has provided the following recommendations:

    - Set a display name so your email address isn't obtainable so easily.
    - Check for entries in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" regularly, especially after installing freeware or shareware.
    - If you want to visit and remain anonymous, close MSN Messenger.

  2. #2
    Join Date
    Oct 2001
    Another M$ explot... Im not surprised

  3. #3
    Yippee another cool trick to play on soccer mom's!

  4. #4
    Senior Member
    Join Date
    Dec 2001
    It would seem prudent to not use msn messenger or at the very least - log out as you say, sOnIc, before moving to other sites.

    This msoft insecurity will be the end of the company some day.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Sonic, your a one man walking vulnerability finder!

  6. #6
    Senior Member
    Join Date
    Nov 2001
    the link doesn't work but the rest is pretty interesting
    the only thing that doesn\'t change is everything will always change.

  7. #7
    Originally posted by dieterle81
    the link doesn't work but the rest is pretty interesting
    It's strange, now I have tested it and work ...

    Anyway for details

    Have funny.
    What is essential is invisible
    to the eye ...

  8. #8
    Senior Member
    Join Date
    Nov 2001
    I don't know if this is really a security exploit, I mean, does anyone really care if somebody knows thier MSN Messenger login name. Unless you are one of those paranoid people gone insane with all the "spyware"

  9. #9
    Senior Member
    Join Date
    Jul 2001
    Well my XP is toast but my iMac does not show the problem with MS Messenger
    It all goes back to one company owns the OS and the App.
    And it does not supprise me either....
    Franklin Werren at
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  10. #10
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    didn't I allredy post this??

    well.. ok.. the thread got lost way to soon...
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts