Microsoft Security Bulletin MS02-022
Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661)
Originally posted: May 08, 2002
Updated: February 28th, 2003
Summary
Who should read this bulletin:
All customers using the Microsoft® MSN Chat control, which is available for direct download and ships with MSN Messenger and Exchange Instant Messenger.
Impact of vulnerability:
Run Code of Attacker's Choice
Maximum Severity Rating:
Critical
Recommendation:
Customers who did not install the updates when they were originally released should install the upgraded updates immediately; customers who installed the original updates should consider installing the upgraded updates.
Affected Software:
- Microsoft MSN Chat Control
- Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control
- Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN Chat control
General Information
Technical details
Technical description:
On May 8 2002, Microsoft released the original version of this bulletin. On June 11, 2002 the bulletin was updated to announce that while the fixes issued on May 8 2002 resolved the vulnerability, they did not protect in all cases against the reintroduction of the vulnerable control. As a result, a new set of fixes is being released to ensure that systems are fully protected against the reintroduction of the vulnerable control. A new MSN Chat control, updated patch, updated version of MSN Messenger and an updated version of Exchange Instant Messenger have been made available. Customers who have applied any of the fixes released on May 8, 2002 are encouraged to consider applying the updated fixes.
The MSN Chat control is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. The control is offered for download as a single ActiveX control from a number of MSN sites. In addition, it is included with MSN Messenger since version 4.5 and Exchange Instant Messenger. While the MSN Chat control is included with these products it is not used to provide Instant Messaging functionality, but rather to add chat functionality to those products.
An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context.
It would be possible for an attacker to attempt to exploit this vulnerability either through a malicious web site or through HTML email. However, Outlook Express 6.0 and the Outlook Email Security Update, which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such attempts through their default security settings.
Mitigating factors:
- A successful attack would require that the user have installed the MSN Chat control, MSN Messenger, or Exchange Instant Messenger.
- The MSN Chat control does not install with any version of Windows or Internet Explorer by default.
- Windows Messenger which ships with Windows XP does not include the MSN Chat control. Windows XP users would be vulnerable only if they have chosen to install the MSN Chat control from MSN sites.
- The HTML email attack vector is blocked by the following Microsoft mail products: Outlook 98 and Outlook 2000 with the Outlook Email Security Update, Outlook 2002, and Outlook Express. This is because these products all open HTML email in the Restricted Sites zone by default.
Severity Rating:
| Internet Servers | Intranet Servers | Client Systems | |
|---|---|---|---|
| MSN Chat Control | Low | Low | Critical |
| MSN Messenger | Low | Low | Critical |
| Exchange Instant Messenger | Low | Low | Critical |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The component in question is a client application not intended for use on servers.
Vulnerability identifier: CAN-2002-0155
Tested Versions:
Microsoft tested the MSN Chat control, MSN Messenger 4.5 and 4.6 and Exchange Instant Messenger to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
Why was this bulletin updated?
On June 11 2002, we updated this bulletin to advise customers that the fixes released on May 8 2002 did not fully protect systems against the reintroduction of the vulnerable control. Specifically, if the vulnerable control were offered for download and a user accepted the control, it could be possible for an attacker to load the control, even though the update had been applied. Those fixes did fully and successfully address the vulnerability and are not themselves vulnerable to the issues discussed in this bulletin.
We have updated the bulletin to advice customers of this and to announce the availability of an updated MSN Chat control and an updated patch and to encourage customers who applied the previous fixes to consider applying the updated fixes. In addition, work on an updated MSN Messenger and Exchange Instant Messenger are underway and those should be posted shortly.
Customers who have applied any of the fixes released on May 8 2002 should install the updated fixes to ensure that their systems are fully protected against reintroduction of the old, vulnerable control. Customers can apply the new updates directly: there is no need to uninstall the previous updates.
What's the scope of the vulnerability?
This is a buffer overflow vulnerability. An attacker who successfully exploited this vulnerability would be able to run programs on another user's system. Such a program could take any action that the system's owner could take, such as adding, changing or deleting any data or configuration information. For example, the code could lower the security settings in the browser, or write a file to the hard disk.
The affected component does not ship by default with any version of Windows or IE. Customers who are using the latest Microsoft mail products, Outlook 2002 and Outlook Express 6.0 are protected by default against HTML email-borne attacks. Outlook 98 and Outlook 2000 customers who have applied the Outlook Email Security Update are also protected by default against HTML email-borne attacks. Because the code would run as the user and not the operating system, any security limitations on the user's account would also be applicable to any code run by successfully exploiting this vulnerability. In environments where user accounts are restricted, such as enterprise environments, the actions that an attacker's code could take would be limited by these restrictions.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the code that handles the input of a parameter in the MSN Chat control. By invoking this parameter in a particular manner, an attacker could overflow the buffer and gain the ability to run code in the user's security context.
What is MSN Chat?
MSN Chat is an online service offered by MSN that lets users talk to one another in virtual "chat rooms". These rooms can allow multiple users to gather in a single, virtual location and exchange text-based messages.
MSN Chat works by users running a local client chat program, in this case the MSN Chat control, and then logging on to a central chat server. Once logged on to the chat server, users can enter chat rooms and exchange messages with one another.
What is the MSN Chat control?
The MSN Chat control is an ActiveX control that is used on a variety of MSN sites, including the MSN Chat site. In essence, the control is a self-contained chat program
What is an ActiveX control?
ActiveX is a technology that allows developers to deploy programs in a small, self-contained way. These programs are called controls and can be used by web pages, Visual Basic programs or other applications.
ActiveX controls can be distributed in a number of ways including installing with software products or being offered for download from a web site. Regardless of how a user installs an ActiveX control, once it is installed and registered on the user's system, it is fully functional and available to the user.
How do I get the MSN Chat control?
You can get the MSN Chat control through two means:
- Via web download from MSN Chat sites.
- Through inclusion with Microsoft Instant Messaging Products, specifically MSN Messenger and Exchange Instant Messenger.
How do I get the MSN Chat control from the web?
Any time a user visits a chat room on MSN, the site checks to see if the user's system has the latest version of the MSN Chat control. If no control is found on the user's system or a newer version of the control is available than is on the user's system, the MSN Chat control is automatically offered for download. The user then has the choice to accept and install the control, or cancel the download. If the user chooses to accept the control, it is then installed.
It's important to note that this control is used for chat rooms on several MSN sites in addition to the main MSN Chat site. If you have successfully used chat on any MSN-site, you have downloaded and installed the chat control.
How do I get the MSN Chat control from Microsoft Instant Messaging Products?
In addition to being available for download directly from the MSN Chat site, the MSN Chat control is installed with MSN Messenger, since version 4.5, and Exchange Instant Messenger.
It's important to note however, that this vulnerability does not affect these technologies themselves. MSN Chat is different from MSN Messenger, Windows Messenger or Exchange Instant Messenger in that those technologies are peer-to-peer messaging products and allow users to talk directly with each other. While users of these technologies logon to a directory server, to announce their availability, there are no "rooms" as in MSN Chat, and users exchange messages directly with one another.
The vulnerability in question only affects the MSN Chat control and not MSN Messenger or Exchange Instant Messenger.
Is the MSN Chat control included with Windows Messenger in Windows XP?
No. The MSN Chat control is not included with Windows Messenger in Windows XP. However, Windows XP users can install the control by visiting an MSN Chat site and downloading the control.
What's wrong with the MSN Chat control?
There is an unchecked buffer in one of the functions that handles the input of certain parameters to the control.
What would this vulnerability enable an attacker to do?
An attacker who exploited this vulnerability successfully could run a program on a system that had the control installed. Since the MSN Chat control runs in the security context of the user, the program would be able to take any actions that the legitimate user was capable of taking, including adding or deleting data or configuration information.
On the other hand, this also means that any limitations placed on the user's account would apply to the attacker's code as well. For example, if an enterprise administrator had implemented policies such that the user could not change their IE security setting, the attacker's code would also be prevented from changing those settings.
How might an attacker attempt to exploit this vulnerability?
An attacker could attempt to exploit this vulnerability by creating a web page that invoked the MSN Chat control and included a call to the parameter in question in a particular way. When the user opened the web page and the code on the page ran, the attack would be carried out.
The attacker would most likely attempt to get the user to open this malicious web page in one of two ways:
- By posting the page on a web site. If he successfully enticed the user to visit his site, the control would be invoked once the page had loaded.
- By sending the web page as an HTML email to the user. If the user were using a mail client that reads mail in the Restricted Sites zone, such as Outlook 2002, the control would be loaded only if the user were enticed to click a link in the email. Conversely, if the user were not using a product that reads mail in the Restricted Sites zone, then when the web page was rendered, either by opening the mail or through a preview pane, the control would be invoked.
How can I mitigate the risk of the web-borne attack?
For the web-based attack to succeed, the attacker would have to lure the user to a site under his control. Users who exercise caution in their choice of web sites and only visited trusted web sites could potentially protect themselves from attack by avoiding the attacker's web site.
I've heard that if I'm using IE, it's possible for an attacker to exploit this vulnerability even if I've never installed the MSN Chat control or the Messenger products, is that true?
It's true that it is possible for an attacker to host a copy of the vulnerable version of the control on their web site which could be offered for download when a user visited the site. However, the attacker would have to entice the user to visit their web site and convince the user to accept and install the control when offered.
Since the chat control is meant to be used in conjunction with chat sites, it would be worth questioning the trustworthiness of any site that unexpectedly offered a chat control for download. The best action would be to refuse the download offered.
But, I've heard that it's possible for an attacker to force this control to download without my knowing it, is that true?
Not exactly. There is an option that can allow a user to always accept signed code, such as the MSN Chat control, without prompting. Specifically, a user can select the "Always trust content from" check box that is presented when a signed control is offered for download.
However, the option only grants trust to the particular certificate that was used to sign that control, it does not grant blanket trust to the company or organization as a whole. This means that even if you've chosen to trust content signed by Microsoft, it doesn't necessarily mean that the particular certificate used to sign this control.
Certificates are used to sign only a handful of controls. This means that only someone who has downloaded the chat control or other related controls from MSN and selected the "Always trust content from" option would have chosen to always trust content signed by this certificate.
Even then, the control could not be offered for download unless a user chooses to navigate to a site under an attacker's control. There is no way for an attacker to offer this control without a user visiting their site.
That said, the "killbit" will be set for this vulnerable control in an upcoming IE service pack, to ensure that this unusual scenario does not pose a risk for customers.
What is the "killbit"?
There is a security feature in Internet Explorer that makes it possible to prevent an ActiveX control from ever being loaded by the Internet Explorer HTML rendering engine. This is accomplished by a making a registry setting and is referred to as setting the "killbit". Once the "killbit" is set, the control can never be loaded, even when it is fully installed. Setting this ensures that even if a vulnerable component is introduced or re-introduced onto a system it remains inert and harmless.
There is more information on this feature in Q240797.
How can I mitigate the risk of the email-borne attack?
Customers who use any of the following products are protected against email-borne attacks by default:
- Outlook 98 and Outlook 2000 if the Outlook Email Security Update has been installed.
- Outlook 2002
- Outlook Express 6
This is because these products read email in the "Restricted Sites" zone. By default, the Restricted Sites zone disables the scripting of ActiveX control. This means that an HTML email that attempts to exploit this vulnerability that is read using one of these products is rendered harmless.
I'm using one of the mail products listed above and don't visit untrustworthy sites. Does this mean I don't need the patch?
While those products and habits can help protect you from attack without the patch, users should still upgrade their version of MSN Chat, MSN Messenger or Exchange Instant Messenger or apply the patch to fully protect themselves.
How can I eliminate the vulnerability?
There are three recommended ways that users can eliminate the vulnerability.
- Users can download an updated version of the MSN Chat control from the MSN Chat sites.
- Users can install an updated version of MSN Messenger
- Users can install an updated version of Exchange Instant Messenger
In addition, users can download and apply the patch as an immediate, interim measure to eliminate the vulnerability by unregistering the vulnerable control and setting the "killbit". However, it is recommended that users apply this patch only as an interim solution until they can install the appropriate updated software.
How do I install an updated version of the MSN Chat control from the MSN Chat sites?
Users who want to eliminate the vulnerability by downloading and installing an updated version of the MSN Chat control can go to the MSN Chat site, chat.msn.com and enter a chat room. The updated MSN Chat control will then be presented for download automatically and users can follow the instructions provided there to install the updated component.
What does the updated version of the MSN Chat control do?
The updated version of the MSN Chat control eliminates the vulnerability by implementing proper checking in the affected buffer. In addition, it automatically unregisters any and all previous versions of the MSN Chat control and sets the "killbit" to render them unusable in the Internet Explorer HTML rendering engine.
How do I install an updated version of MSN Messenger?
Users who are running MSN Messenger and want to eliminate the vulnerability by installing the latest version of MSN Messenger can follow the instructions provided by MSN Messenger's AutoUpdate feature, or download the latest version from the location specified in the the "Patch Availability" section.
What does the updated version of MSN Messenger do?
The updated version of MSN Messenger installs the updated MSN Chat control, which eliminates the vulnerability by implementing proper checks on the parameter input buffer. In addition, the updated MSN Chat control included in the updated version of MSN Messenger unregisters any and all previous versions of the MSN Chat control and sets the "killbit" to render them unusable in the Internet Explorer HTML rendering engine.
How do I install an updated version of Exchange Instant Messenger?
Administrators who want to eliminate the vulnerability by installing an updated version of Exchange Instant Messenger in their environments can download the updated version from the location specified in the "Patch Availability" section.
What does the updated version of Exchange Instant Messenger do?
The updated version of Exchange Instant Messenger installs the updated MSN Chat control, which eliminates the vulnerability by implementing proper checks on the parameter input buffer. In addition, the updated MSN Chat control included in the updated version of Exchange Instannt Messenger unregisters any and all previous versions of the MSN Chat control and sets the "killbit" to render them unusable in the Internet Explorer HTML rendering engine.
How do I install the patch?
Users can install the patch by downloading the patch from the location specified in the "Patch Availability" section.
What does the patch do?
The patch eliminates the vulnerability by unregistering the vulnerable MSN Chat control and sets the "killbit", rendering it unusable in the Internet Explorer HTML rendering engine.
Does the patch install an updated version of the MSN Chat control?
No. However, the next time a user visits the MSN Chat site after applying the patch, the updated version of the MSN Chat control will be offered for download.
I applied the fixes that were released on May 8 2002, what do I need to do?
Customers who applied the original fixes that were released on May 8 2002 should consider applying the updated fixes.
Do I need to uninstall the previous updates?
No. The new updates can be installed on top of the previous fixes
I'm still having problems applying the updated fixes, what should I do?
If you are still having problems as a result of the patch, contact Microsoft Product Support Services. All calls related to security patches are free of charge. There's information on how to contact Product Support Services at:
Patch availability
Download locations for this patch
- Download locations for the patch:
Download Locations for Updated Software Versions
- Download location for updated version of MSN Chat control:
- Download location for updated version of MSN Messenger with the corrected control:
http://messenger.msn.com/download/download.asp?client=1&update=1
- Download location for updated version of Exchange Instant Messenger with the corrected control:
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Internet Explorer Version 4.0 or greater.
Reboot needed: No
Superseded patches: None.
Verifying patch installation:
Microsoft MSN Messenger and Exchange Instant Messenger:
- In the main Window, click "Help".
- Click "About MSN Messenger"
- The version displayed should be 4.6 (4.6.0082)
MSN Chat Control:
- Open IE
- Choose Tools
- Choose Internet Options
- Choose Settings on the "general" tab
- Choose View Objects
- Right Click on "MSN Chat Control 4.2"
- Choose Properties
- Click Version
- Version # is 7,0,206,401
Caveats:
None
Localization:
No localization is necessary for this patch. Localized versions of MSN Messenger and Exchange Instant Messenger are available at the locations specified above.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks eEye Digital Security (http://www.eeye.com) for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article Q321661 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (May 08, 2002): Bulletin Created.
- V2.0 (June 11, 2002): Bulletin updated to advise customers that the fixes released on May 08, 2002 did not fully protect systems against the reintroduction of the older, vulnerable control and to annouce the availability of updated fixes.
- V2.1 (February 28, 2003): Updated download links to Windows Update.