-----Original Message-----
From: UNIRAS (UK Govt CERT)
Sent: 12 June 2002 14:14
To: Undisclosed Recipients
Subject: UNIRAS Briefing - 181/02 - MICROSOFT - Unchecked Buffer in MSN
Chat Control Can Lead to Code Execution (Rev - full protection now
available)
-----BEGIN PGP SIGNED MESSAGE-----
- --------------------------------------------------------------------------
--------
UNIRAS (UK Govt CERT) Briefing Notice - 181/02 dated 12.06.02 Time:
14:12
UNIRAS is part of NISCC(National Infrastructure Security Co-ordination
Centre)
- --------------------------------------------------------------------------
--------
UNIRAS material is also available from its website at www.uniras.gov.uk
and
Information about NISCC is available from www.niscc.gov.uk
- --------------------------------------------------------------------------
--------
Title
=====
MICROSOFT Security Bulletin:
Unchecked Buffer in MSN Chat Control Can Lead to Code Execution
(Rev - full protection now available)
Detail
======
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Unchecked Buffer in MSN Chat Control Can Lead to Code
Execution (Q321661)
Released: 08 May 2002
Revised: 11 June 2002 (version 2.0)
Software: MSN Chat, MSN Messenger, Exchange Instant Messenger
Impact: Run Code of Attacker's Choice
Max Risk: Critical
Bulletin: MS02-022
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-022.asp.
- - ----------------------------------------------------------------------
Reason for Revision:
====================
On May 8 2002, Microsoft released the original version of this
bulletin. On June 11, 2002 the bulletin was updated to announce
that while the fixes issued on May 8 2002 resolved the vulnerability,
they did not protect in all cases against the reintroduction of the
vulnerable control. As a result, a new set of fixes is being released
to ensure that systems are fully protected against the reintroduction
of the vulnerable control. A new MSN Chat control, updated patch,
updated version of MSN Messenger and an updated version of
Exchange Instant Messenger have been made available. Customers who
have applied any of the fixes released on May 8, 2002 are
encouraged to consider applying the updated fixes.
Issue:
======
The MSN Chat control is an ActiveX control that allows groups of
users to gather in a single, virtual location online to engage in
text messaging. The control is offered for download as a single
ActiveX control from a number of MSN sites. In addition, it is
included with MSN Messenger since version 4.5 and Exchange Instant
Messenger. While the MSN Chat control is included with these
products it is not used to provide Instant Messaging functionality,
but rather to add chat functionality to those products.
An unchecked buffer exists in one of the functions that handles
input parameters in the MSN Chat control. A security
vulnerability results because it is possible for a malicious user
to levy a buffer overrun attack and attempt to exploit this flaw.
A successful attack could allow code to run in the user's context.
It would be possible for an attacker to attempt to exploit
this vulnerability either through a malicious web site or through
HTML email. However, Outlook Express 6.0 and the
Outlook Email Security Update, which is available for
Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such
attempts through their default security settings.
Mitigating Factors:
====================
- A successful attack would require that the user have installed
the MSN Chat control, MSN Messenger, or
Exchange Instant Messenger.
- The MSN Chat control does not install with any version of
Windows or Internet Explorer by default.
- Windows Messenger which ships with Windows XP does not
include the MSN Chat control. Windows XP users would be
vulnerable only if they have chosen to install the MSN Chat
control from MSN sites.
- The HTML email attack vector is blocked by the following
Microsoft mail products:
- Outlook 98 and Outlook 2000 with the
Outlook Email Security Update
- Outlook 2002
- Outlook Express.
This is because these products all open HTML email in the
Restricted Sites zone by default.
Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-022.asp
for information on obtaining this patch.
Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com)
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPQZTWY0ZSRQxA/UrAQHpjAgAmXbWZiDgPukry+5gdrlHX8tYaOP9XPge
KJrEC+iigp4l8oYEQ3IcFQLfZ9yia7tCHbThvGqPpiLmVAPuoidHUGU2LAZfVBXd
r8n/1MuoFjZsQwQrdYc1iz/Qe6CD2W2rzdfI96vHyp6D0mjzdp9M3KCkosuZ0NF7
qaHtba/UGux4AcZM1vM8YOuwe0Ub2lO/HNaZJdB6S65Orhkff0bKoW31LXK/5eom
s0gHGpqGpBfBWMAW4Keda+GjbuxlDBhqeyAWzZXt9bP9DlYVRX0Vbn+TIIOPzFYn
DxNzzjnt4xmlC19QcYLXXjTapW6+5PmKg3580i1BCOzBJWx90SwoXg==
=KPt1
- -----END PGP SIGNATURE-----
*******************************************************************
Reprinted with permission of MICROSOFT CORPORATION.
- --------------------------------------------------------------------------
--------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:
[EMAIL PROTECTED]
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
- --------------------------------------------------------------------------
--------
UNIRAS wishes to acknowledge the contributions of MICROSOFT for the
information
contained in this Briefing.
- --------------------------------------------------------------------------
--------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the
vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical
site
to ensure that you receive the most current information concerning that
problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall
not be liable for any loss or damage whatsoever, arising from or in
connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to
prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- --------------------------------------------------------------------------
--------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQCVAwUBPQdIkYpao72zK539AQFERwP+K0cR21FDIq7PVI8VSpJZpYL94U7UqVm1
VVMxxjj2xPpQRJCzFhQiYlJNEcNVaBK7MjVRCmLgM8OOJ2dmRonyNyTpGoJG0+18
egTDOqTEkcfHA1yzJGJomYGSgC+mpdRXmCERkidH14W4hf9dOkcRJ3O0pzUDtdNU
VSQ4NhVmvsc=
=eZtd
-----END PGP SIGNATURE-----
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site
http://www.iwar.org.uk
