Microsoft Security Bulletin MS07-054 - Important

Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)

Published: Tuesday, September 11, 2007 | Updated: Wednesday, September 12, 2007

Version: 1.1

General Information

Executive Summary

This important security update resolves a publicly disclosed vulnerability in MSN Messenger and Windows Live Messenger. The vulnerability could allow remote code execution when a user accepts a webcam or video chat invitation from an attacker. An attacker who successfully exploited this vulnerability could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Customers using MSN Messenger 7.0.0820 or Windows Live Messenger 8.1 are not affected by this vulnerability. For more information, see the subsection, Affected and Non-Affected Software, in this section.

For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers using MSN Messenger 6.2 and MSN Messenger 7.0 on Microsoft Windows 2000 Service Pack 4 upgrade to MSN Messenger 7.0.0820 at the earliest opportunity. Customers on other supported Windows platforms, running MSN Messenger 6.2, MSN Messenger 7.0, MSN Messenger 7.5, or Windows Live Messenger 8.0, should upgrade to Windows Live Messenger 8.1 at the earliest opportunity.

Known Issues. None

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected.

Affected Software

Operating System	Software	Maximum Security Impact	Aggregate Severity Rating	Bulletins Replaced by This Update
Microsoft Windows 2000 Service Pack 4	MSN Messenger 6.2 MSN Messenger 7.0	Remote Code Execution	Important	None
Windows XP Service Pack 2	MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Remote Code Execution	Important	None
Windows XP Professional x64 Edition	MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Remote Code Execution	Important	None
Windows XP Professional x64 Edition Service Pack 2	MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Remote Code Execution	Important	None
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Remote Code Execution	Important	None
Windows Server 2003 x64 Edition	MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Remote Code Execution	Important	None
Windows Server 2003 x64 Edition Service Pack 2	MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Remote Code Execution	Important	None
Windows Vista	MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Remote Code Execution	Important	None
Windows Vista x64 Edition	MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Remote Code Execution	Important	None

Non-Affected Software

Operating System	Software
Microsoft Windows 2000 Service Pack 4	MSN Messenger 7.0.0820
Windows XP Service Pack 2	Windows Live Messenger 8.1
Windows XP Professional x64 Edition	Windows Live Messenger 8.1
Windows XP Professional x64 Edition Service Pack 2	Windows Live Messenger 8.1
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Windows Live Messenger 8.1
Windows Server 2003 x64 Edition	Windows Live Messenger 8.1
Windows Server 2003 x64 Edition Service Pack 2	Windows Live Messenger 8.1
Windows Vista	Windows Live Messenger 8.1
Windows Vista x64 Edition	Windows Live Messenger 8.1

Frequently Asked Questions (FAQ) Related to This Security Update

How will this upgrade be distributed?
Upon signing on to MSN Messenger service, users of MSN Messenger 6.2 and MSN Messenger 7.0 on supported editions of Microsoft Windows 2000 Service Pack 4 will be prompted by the client deployment mechanism in the MSN Messenger service to accept the upgrade to MSN Messenger 7.0.0820.

Also, users who desire to download the upgrade to MSN Messenger 7.0.0820 immediately, may do so by using the Download Center link provided in the Affected Software table. Note that this only applies to users of MSN Messenger 6.2 and MSN Messenger 7.0 on supported editions of Microsoft Windows 2000 Service Pack 4.

Upon signing on to MSN Messenger or Windows Live Messenger service, users of MSN Messenger 6.2, MSN Messenger 7.0, MSN Messenger 7.5, and Windows Live Messenger 8.0 on supported editions of platforms later than Microsoft Windows 2000 Service Pack 4 will be prompted by the client deployment mechanism in the MSN Messenger or Windows Live Messenger service to accept the upgrade to Windows Live Messenger 8.1.

Also, users who desire to download the upgrade to Windows Live Messenger 8.1 immediately, may do so by using the Download Center link provided in the Affected Software table. Note that this only applies to users of MSN Messenger 6.2, MSN Messenger 7.0, MSN Messenger 7.5, and Windows Live Messenger 8.0 on supported editions of platforms later than Microsoft Windows 2000 Service Pack 4.

Otherwise, users of vulnerable versions of the MSN Messenger or Windows Live Messenger clients may not be allowed to connect to the MSN Messenger or Windows Live Messenger service.

Why is Microsoft releasing this upgrade over the MSN Messenger or Windows Live Messenger service as well as providing downloads?
Microsoft currently issues upgrades for the MSN Messenger or Windows Live Messenger client using the MSN Messenger or Windows Live Messenger service because these online services have their own client deployment mechanism. However, Download Center links are also available for specific MSN Messenger or Windows Live Messenger clients, running on platforms provided in the Affected Software table, because users may desire to download the upgrades immediately.

If this is an upgrade, how can I detect if I have a vulnerable version of MSN Messenger or Windows Live Messenger?
When you attempt to sign on to the MSN Messenger or Windows Live Messenger service, the client deployment mechanism will automatically determine your current client version and platform and if required, recommend the appropriate upgrade. Also, you may verify your MSN Messenger or Windows Live Messenger client version by clicking Help and then About.

What happens if I do not upgrade to MSN Messenger 7.0.0820 or Windows Live Messenger 8.1?
If you do not upgrade to a non-affected version of the MSN Messenger or Windows Live Messenger client, depending on your platform, you will be notified to upgrade on each attempt to sign on. If you do not accept the upgrade, you may not be allowed access to MSN Messenger or Windows Live Messenger service. See the Non-Affected Software table in this section for details on platforms and upgrade versions of the MSN Messenger and Windows Live Messenger clients.

Are other Microsoft Real-Time Collaboration applications, like Windows Messenger or Office Communicator, affected by this vulnerability?
No. Other messaging applications are not affected as they do not contain the vulnerable component.

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software	MSN Messenger Webcam or Video Chat Session Remote Code Execution Vulnerability – CVE-2007-2931	Aggregate Severity Rating
MSN Messenger 6.2 MSN Messenger 7.0 MSN Messenger 7.5 Windows Live Messenger 8.0	Important Remote Code Execution	Important

MSN Messenger Webcam or Video Chat Session Remote Code Execution Vulnerability – CVE-2007-2931

A remote code execution vulnerability exists in MSN Messenger 6.2, MSN Messenger 7.0, MSN Messenger 7.5, and Windows Live Messenger 8.0. The vulnerability could allow remote code execution when a user chooses to accept a webcam or video chat invitation from an attacker. An attacker who successfully exploited this vulnerability could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-2931.

Mitigating Factors for MSN Messenger Webcam or Video Chat Session Remote Code Execution Vulnerability – CVE-2007-2931

Workarounds for MSN Messenger Webcam or Video Chat Session Remote Code Execution Vulnerability – CVE-2007-2931

FAQ for MSN Messenger Webcam or Video Chat Session Remote Code Execution Vulnerability – CVE-2007-2931

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs or view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
The vulnerability exists in the way MSN Messenger or Windows Live Messenger handles specially crafted webcam or video chat sessions. As a result, memory may be corrupted in such a way that an attacker could execute arbitrary code in the security context of the logged-in user.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs or view, change, or delete data, or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
An attacker could send an invitation to a user to join in a specially crafted webcam or video chat session that is designed to exploit this vulnerability. However, an attacker would have no way to force users to join a webcam or video chat session. Instead, an attacker would have to convince users to accept the webcam or video chat invitation.

What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user be signed on to the MSN Messenger or Windows Live Messenger service and accept a webcam or video chat invitation for any malicious action to occur. Therefore, any system where MSN Messenger 6.2, MSN Messenger 7.0, MSN Messenger 7.5, or Windows Live Messenger 8.0 is used, such as workstations or servers, is at risk from this vulnerability.

What does the update do?
MSN Messenger 7.0.0820 and Windows Live Messenger 8.1 have been updated to sufficiently manage webcam or video chat sessions.

I do not use any webcams. Do I still have to upgrade?
Yes. When you sign on, the MSN Messenger or Windows Live Messenger service will notify you to upgrade to the appropriate MSN Messenger or Windows Live Messenger client for your platform if you have not done so.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2007-2931.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Update Information

Security Update Deployment

Affected Software

For information about the specific security update for your affected software, click the appropriate link:

MSN Messenger (all versions) on Windows 2000


Prerequisites	MSN Messenger 6.2 on Microsoft Windows 2000 Service Pack 4 MSN Messenger 7.0 on Microsoft Windows 2000 Service Pack 4
Deployment	Upon signing on to MSN Messenger service, accept the prompt to upgrade to MSN Messenger 7.0.0820. Also, users who desire to download the upgrade to MSN Messenger 7.0.0820 immediately, may do so by using the Download Center link provided in the Affected Software table. Note that this only applies to users of MSN Messenger 6.2 and MSN Messenger 7.0 on supported editions of Microsoft Windows 2000 Service Pack 4.
Restart Requirement	Yes, you may need to restart your system after upgrading if, during the upgrade, you have users with multiple MSN Messenger sessions active on the system
Removal Information	Use Add or Remove Programs tool in Control Panel
Verifying the Upgrade	Within MSN Messenger, click Help, then click About. Check that the Version Number is 7.0.0820.

MSN Messenger or Windows Live Messenger (all versions) on Windows XP, Windows Server 2003, and Windows Vista

Reference Table

The following table contains the information to upgrade to Windows Live Messenger 8.1:


Prerequisites	MSN Messenger 6.2 on Windows XP Service Pack 2 MSN Messenger 7.0 on Windows XP Service Pack 2 MSN Messenger 7.5 on Windows XP Service Pack 2 Windows Live Messenger 8.0 on Windows XP Service Pack 2 MSN Messenger 6.2 on Windows XP Professional x64 Edition MSN Messenger 7.0 on Windows XP Professional x64 Edition MSN Messenger 7.5 on Windows XP Professional x64 Edition Windows Live Messenger 8.0 on Windows XP Professional x64 Edition MSN Messenger 6.2 on Windows XP Professional x64 Edition Service Pack 2 MSN Messenger 7.0 on Windows XP Professional x64 Edition Service Pack 2 MSN Messenger 7.5 on Windows XP Professional x64 Edition Service Pack 2 Windows Live Messenger 8.0 on Windows XP Professional x64 Edition Service Pack 2 MSN Messenger 6.2 on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 MSN Messenger 7.0 on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 MSN Messenger 7.5 on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 Windows Live Messenger 8.0 on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 MSN Messenger 6.2 on Windows Server 2003 x64 Edition MSN Messenger 7.0 on Windows Server 2003 x64 Edition MSN Messenger 7.5 on Windows Server 2003 x64 Edition Windows Live Messenger 8.0 on Windows Server 2003 x64 Edition MSN Messenger 6.2 on Windows Server 2003 x64 Edition Service Pack 2 MSN Messenger 7.0 on Windows Server 2003 x64 Edition Service Pack 2 MSN Messenger 7.5 on Windows Server 2003 x64 Edition Service Pack 2 Windows Live Messenger 8.0 on Windows Server 2003 x64 Edition Service Pack 2 MSN Messenger 6.2 on Windows Vista MSN Messenger 7.0 on Windows Vista MSN Messenger 7.5 on Windows Vista Windows Live Messenger 8.0 on Windows Vista MSN Messenger 6.2 on Windows Vista x64 Edition MSN Messenger 7.0 on Windows Vista x64 Edition MSN Messenger 7.5 on Windows Vista x64 Edition Windows Live Messenger 8.0 on Windows Vista x64 Edition
Deployment	Upon signing on to MSN Messenger or Windows Live Messenger service, accept the prompt to upgrade to Windows Live Messenger 8.1. Also, users who desire to download the upgrade to Windows Live Messenger 8.1 immediately, may do so by using the Download Center link provided in the Affected Software table. Note that this only applies to users of MSN Messenger 6.2, MSN Messenger 7.0, MSN Messenger 7.5, and Windows Live Messenger 8.0 on supported editions of platforms later than Microsoft Windows 2000 Service Pack 4.
Restart Requirement	Yes, you may need to restart your system after upgrading if, during the upgrade, you have users with multiple MSN Messenger or Windows Live Messenger sessions active on the system
Removal Information	Use Add or Remove Programs tool in Control Panel
Verifying the Upgrade	Within Windows Live Messenger, click Help, then click About. Check that the Version Number is 8.1.0178.00.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Woo Shi of team 509 for reporting the MSN Messenger Video Chat Remote Code Execution Vulnerability – CVE-2007-2931

Support

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (September 11, 2007): Bulletin published.
V1.1 (September 12, 2007): Download center links added to Affected Software table for upgrading to Windows Live Messenger 8.1.