MSN Messenger video-based exploit revealed

Share this article:

Security experts are advising users of MSN Messenger to be wary of untrusted web cam conversations after exploit code was posted today for a zero-day vulnerability in the instant messaging (IM) application.

The bug, rated "highly critical" by tracking firm Secunia, can be exploited when a victim accepts a malicious video from an attacker, prompting a heap-based buffer overflow. Results may range from a system crash to arbitrary code execution.

The exploit, published on a Chinese hacker site, affects MSN Messenger versions 6 and 7. No fix is available, but Secunia's advisory recommends affected users upgrade to Version 8, which is not impacted by the vulnerability.

A Microsoft representative could not immediately be reached for comment today.

SANS Internet Storm Center handler Maarten Van Horenbeeck said today on the organization's blog that although Microsoft has not yet confirmed the vulnerability, users should not "accept untrusted video conversation sessions at this time."

The reported flaw comes on the same day that IM security provider Akonix released monthly stats showing IM threats nearly doubled from July to August.

"This is actually something new," Don Montgomery, vice president of marketing at San Diego-based Akonix, told SCMagzine.com today. "Most of the attacks use IM as a conduit for either a payload within a file attached to the message or the socially engineered text of a message contains a poison URL."

Montgomery said attackers are catching on to the increasing corporate use of IM.

"Our thought is that using IM as a target gets more attractive as more people use IM at work," he said. "If you can infect a corporate PC inside the firewall and then propagate inside that network unmolested, you can do a lot of things."

That includes installing keyloggers or spyware or spreading spam, he said. 

Click here to email reporter Dan Kaplan.

Click here for the latest SC Magazine Podcast – Aug. 27, 2007: A monster (.com) of a data theft

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.