ENN - Electric News.net
Free e-mail alerts & newsletter - Sign up here
Free e-mail alerts & newsletter - Sign up here
Edit your alerts
News
   CORRECTIONS
Survey
Let us know how to make ENN better!
Take our reader's survey.
Adworld UTV_AD

Using modified blogging software
More and more companies are modifying low-cost blogging software to set up rudimentary content management systems. Some Irish Web developers have pointed out shortcomings with this approach.
More here

 

::SECURITY

Kill the MSN Messenger
Thursday, May 09 2002
by The Register

Send story to a friend
Print this story
Microsoft issued a "critical" security update after the discovery of a vulnerability that allows attackers to execute malicious code against MSN Messenger.

The problem stems from a flaw in an ActiveX control, called MSN Chat, which is included with MSN Messenger since version 4.5 and Exchange Instant Messenger, writes John Leyden.

MSN Chat allows groups of users to gather in a single, virtual location on-line to engage in text messaging.

Researchers at eEye Digital Security have discovered that an unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. Because of this, users enticed to open a maliciously crafted HTML mail or visit a maliciously constructed Web site could potentially fall victim to an attack.

In mitigation, Microsoft says that Outlook Express 6.0 and the Outlook E-mail Security Update and can thwart such attacks through their default security settings. It also points out that the version of Windows Messenger which ships with Windows XP does not include the MSN Chat control.

This still leaves a vast number of people vulnerable (Outlook E-mail Security Update take-up is worryingly low) so it is not without good reason that Microsoft defines the update as "critical." The vulnerability is ripe for exploitation and of a type that means it is likely to hang around for some time before people wake up to the problem.

Buffer overflows are a common class of security vulnerability, associated with sloppy programming, which allow arbitrary and potentially malicious code to be injected into a system through a carefully crafted, malformed data entry.

Generally, this spurious input is much longer than a program expects, causing code to overflow the buffer, crash a process and enter parts of a system where it may be subsequently executed.

More information and patch for the vulnerability can be found on the Microsoft Web site.

The Register and its contents are copyright 2002 Situation Publishing. Reprinted with permission.

:: Discuss this story - Click here

:: MORE NEWS from SECURITY

Search

Jobs
ENN Corporate Services Ad Red Moon Media Ad ENN Message Boards House Ad
Powered by The CIA
Designed by Redmoon media

 

© Copyright ElectricNews.Net Ltd 1999-2002.