MSN Messenger video-based exploit revealed

Security experts are advising users of MSN Messenger to be wary of untrusted web cam conversations after exploit code was posted today for a zero-day vulnerability in the instant messaging (IM) application.

The bug, rated "highly critical" by tracking firm Secunia, can be exploited when a victim accepts a malicious video from an attacker, prompting a heap-based buffer overflow. Results may range from a system crash to arbitrary code execution.

The exploit, published on a Chinese hacker site, affects MSN Messenger versions 6 and 7. No fix is available, but Secunia's advisory recommends affected users upgrade to Version 8, which is not impacted by the vulnerability.

A Microsoft representative could not immediately be reached for comment today.

SANS Internet Storm Center handler Maarten Van Horenbeeck said today on the organization's blog that although Microsoft has not yet confirmed the vulnerability, users should not "accept untrusted video conversation sessions at this time."

The reported flaw comes on the same day that IM security provider Akonix released monthly stats showing IM threats nearly doubled from July to August.

"This is actually something new," Don Montgomery, vice president of marketing at San Diego-based Akonix, told SCMagzine.com today. "Most of the attacks use IM as a conduit for either a payload within a file attached to the message or the socially engineered text of a message contains a poison URL."

Montgomery said attackers are catching on to the increasing corporate use of IM.

"Our thought is that using IM as a target gets more attractive as more people use IM at work," he said. "If you can infect a corporate PC inside the firewall and then propagate inside that network unmolested, you can do a lot of things."

That includes installing keyloggers or spyware or spreading spam, he said. 

Click here to email reporter Dan Kaplan.

Click here for the latest SC Magazine Podcast – Aug. 27, 2007: A monster (.com) of a data theft