Microsoft Security Bulletin MS04-010

Technical description:

A security vulnerability exists in Microsoft MSN Messenger. The vulnerability exists because of the method used by MSN Messenger to handle a file request. An attacker could exploit this vulnerability by sending a specially crafted request to a user running MSN Messenger.  If exploited successfully, the attacker could view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file.

To exploit this vulnerability, an attacker would have to know the sign-on name of the MSN Messenger user in order to send the request.

Mitigating factors:

• An attacker must know the sign-on name of the user
• If the user has blocked receiving messages from anonymous users not on their contact list by placing "All Others" in their block list, the attacker's messenger account must be on the user's allow list to exploit the vulnerability.
• The attacker could access files that the user had read access to.  If the user is logged into the computer with restricted privileges this would limit the files that the attacker could access.

Severity Rating:

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2004-0122

What is the scope of the vulnerability?
This is an Information Disclosure vulnerability.  An attacker who exploited this vulnerability could view the contents of a file on the hard drive without the user's knowledge if the attacker knew the exact location of the file.

What causes the vulnerability?
A vulnerability results because of the method used by MSN Messenger to handle a file request between two MSN Messenger accounts. The method used to handle the request does not validate certain contents of the request when creating the session.

What is MSN Messenger?
MSN Messenger is an instant messaging program that allows users to send instant messages to each other, or create other peer to peer sessions such as sharing voice, video, or sending files. More information about MSN Messenger can be found at the following Web site.

What is Windows Messenger?
Windows Messenger is also an instant messaging program that allows similar functionality to MSN Messenger. Windows XP comes with Windows Messenger, which remains available even after MSN Messenger 6.1 is installed on a computer. Windows Messenger can connect to the Communications Service and Exchange Instant Messaging, which are only used in corporations. More information about Windows Messenger can be found at the following Web site.

Does the vulnerability apply to Windows Messenger as well?
No - the vulnerability is unique to the method of validating file requests utilized by MSN Messenger.

What is wrong with the way that MSN Messenger handles file requests?
The vulnerability results from the way MSN Messenger validates a file request.  It is possible for an attacker to craft a request in such a way that MSN Messenger could allow the request to view a file on the hard drive.

Why does this pose a security vulnerability?
The vulnerability could provide a way for an attacker to view confidential files or view user names or passwords, although the attacker would have no way to edit or change the files.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could have read access to any file the user had access to if the attacker knew the location of the file. There would not be any indication to the user that the attacker was attempting to read the files.

Who could exploit the vulnerability?
A user with MSN Messenger and the knowledge of a specific user sign-on name could seek to exploit the vulnerability.

What does the update do?
The update removes the vulnerability by modifying the handling of file requests by MSN Messenger.

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click the appropriate link: