-
February 9th, 2002, 01:19 AM
#1
MSN Messenger Remote Vulnerability...
Version(s): MSN Messenger 4.6.0073 (latest at 02/02/2002) on Windows 2000 with IE 6; Windows Messenger 4.6.0073 (latest at 02/02/2002) on Windows XP with IE 6; other versions may be affected
Description: An information disclosure vulnerability was reported in Microsoft's Messenger instant messaging client. A remote user can create a web page or HTML-based e-mail message that will cause the recipient's Messenger display name and contacts to be disclosed.
It is reported that a remote user can create javascript that will cause MSN Messenger or Windows Messenger to disclose personal information. The user's display name and display names of the user's contacts may be disclosed. If the user has not set a display name, the user's e-mail address may be disclosed.
It is reported that certain Microsoft web sites can also obtain the user's name and e-mail address. In addition, sites (or domain suffixes) listed in the registry can also obtain the user's name and e-mail addresses, according to the report. The list of domain suffixes that have full access to Messenger functionality is reportedly located in the registry in key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" with values "Suffix0", "Suffix1", etc.
It is reported that the only way for a user to prevent sites from obtaining access to the user's personal information is by logging out of Messenger before visiting the web site.
A demonstration exploit page is available at:
http://raburton.members.easyspace.com/msn/
Impact: A remote user can obtain another user's display name and contacts via malicious javascript that must be loaded by the target user, either via a web page or via HTML-based e-mail.
Solution: No solution was available at the time of this entry.
The author of the report has provided the following recommendations:
- Set a display name so your email address isn't obtainable so easily.
- Check for entries in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes" regularly, especially after installing freeware or shareware.
- If you want to visit microsoft.com and remain anonymous, close MSN Messenger.
-
February 9th, 2002, 01:42 AM
#2
Another M$ explot... Im not surprised
-
February 9th, 2002, 03:28 AM
#3
Yippee another cool trick to play on soccer mom's!
-
February 9th, 2002, 02:13 PM
#4
It would seem prudent to not use msn messenger or at the very least - log out as you say, sOnIc, before moving to other sites.
This msoft insecurity will be the end of the company some day.
Trappedagainbyperfectlogic.
-
February 9th, 2002, 03:49 PM
#5
Sonic, your a one man walking vulnerability finder!
-
February 9th, 2002, 04:02 PM
#6
the link doesn't work but the rest is pretty interesting
the only thing that doesn\'t change is everything will always change.
-
February 9th, 2002, 05:21 PM
#7
Member
Originally posted by dieterle81
the link doesn't work but the rest is pretty interesting
It's strange, now I have tested it and work ...
Anyway for details http://securityfocus.com/archive/1/254021
Have funny.
What is essential is invisible
to the eye ...
]ØÐÖ§|-|Å
-
February 9th, 2002, 05:33 PM
#8
I don't know if this is really a security exploit, I mean, does anyone really care if somebody knows thier MSN Messenger login name. Unless you are one of those paranoid people gone insane with all the "spyware"
-
February 9th, 2002, 05:46 PM
#9
Well my XP is toast but my iMac does not show the problem with MS Messenger
It all goes back to one company owns the OS and the App.
And it does not supprise me either....
Franklin Werren at www.bagpipes.net
Yes I do play the Bagpipes!
And learning to Play the Bugle
-
February 9th, 2002, 05:56 PM
#10
didn't I allredy post this??
http://www.antionline.com/showthread...&postid=448575
well.. ok.. the thread got lost way to soon...
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|