ENN - Electric News.net
Free e-mail alerts & newsletter - Sign up here
Free e-mail alerts & newsletter - Sign up here
Edit your alerts
News
   CORRECTIONS
Survey
Let us know how to make ENN better!
Take our reader's survey.
Adworld

Face-to-Face: Dinesh Dhamija, CEO Ebookers
 Don't look now, but e-travel is booming -- and strangely, its successes are coming only after the dot-bomb and September 11, events that decimated related industries. Matthew Clark spoke with Dinesh Dhamija, CEO of highflying European e-travel firms Ebookers, as the company considers acquisitions, market share and the future.
More here

 

The following e-mail will be sent on your behalf.

 has sent the following story to you from ElectricNews.net.

The story is available from https://electricnews.net/news.html?code=7439730

Kill the MSN Messenger
Thursday, May 09 2002
by The Register


Microsoft issued a "critical" security update after the discovery of a
vulnerability that allows attackers to execute malicious code against MSN
Messenger.

The problem stems from a flaw in an ActiveX control, called MSN Chat, which is
included with MSN Messenger since version 4.5 and Exchange Instant Messenger,
writes John Leyden.





MSN Chat allows groups of users to gather in a single, virtual location on-line
to engage in text messaging. 





Researchers at eEye Digital Security have HREF="http://www.eeye.com/html/Research/Advisories/AD20020508.html">discovered
that an unchecked buffer exists in one of the functions that handles input
parameters in the MSN Chat control. Because of this, users enticed to open a
maliciously crafted HTML mail or visit a maliciously constructed Web site could
potentially fall victim to an attack. 





In mitigation, Microsoft says that Outlook Express 6.0 and the Outlook E-mail
Security Update and can thwart such attacks through their default security
settings. It also points out that the version of Windows Messenger which ships
with Windows XP does not include the MSN Chat control.

 



This still leaves a vast number of people vulnerable (Outlook E-mail Security
Update take-up is worryingly low) so it is not without good reason that Microsoft
defines the update as "critical." The vulnerability is ripe for exploitation
and of a type that means it is likely to hang around for some time before people
wake up to the problem. 





Buffer overflows are a common class of security vulnerability, associated with
sloppy programming, which allow arbitrary and potentially malicious code to be
injected into a system through a carefully crafted, malformed data entry. 





Generally, this spurious input is much longer than a program expects, causing
code to overflow the buffer, crash a process and enter parts of a system where it
may be subsequently executed. 





More information and patch for the vulnerability can be found on HREF="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-022.asp">the
Microsoft Web site.



The Register and its contents are
copyright 2002 Situation Publishing. Reprinted with permission.
Search

Jobs
ENN Corporate Services Ad Red Moon Media Ad ENN Message Boards House Ad
Powered by The CIA
Designed by Redmoon media

 

© Copyright ElectricNews.Net Ltd 1999-2002.