Export (0) Print
Expand All

Microsoft Security Bulletin MS05-022 - Critical

Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597)

Published: April 12, 2005 | Updated: January 21, 2009

Version: 2.0

Summary

Who should read this document: Customers who use MSN Messenger

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Non-Affected Software:

  • MSN Messenger 7.0

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

General Information

Executive Summary:

This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers Impact of Vulnerability MSN Messenger 6.2
MSN Messenger Vulnerability - CAN-2005-0562Remote Code Execution
Critical
Aggregate Severity of All Vulnerabilities Critical

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Why was this bulletin revised on January 21, 2009? 
Microsoft revised this bulletin to replace the download link for MSN Messenger 6.2 with the bulletin link to MS07-054, "Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)." This download link has been made obsolete by a required upgrade, depending on operating system, for MSN Messenger 6.2 in MS07-054. In fact, MS07-054 lists other MSN Messenger versions as well as Window Live Messenger 8.0 as affected software. Users may upgrade before logging on to either service by using the download links provided in MS07-054. Users who have not upgraded to non-vulnerable versions of MSN Messenger or Windows Live Messenger will be prompted by the MSN Messenger or Windows Live Messenger service, respectively, upon logon.

What updates does this release replace?
This security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table:

Bulletin ID MSN Messenger 6.2
MS05-009 Replaced

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?
No. MBSA does not support MSN Messenger, and will not detect whether the update is required for the affected software. However, Microsoft has developed a version of the Enterprise Update Scanning Tool (EST) that will help customers determine if the MSN Messenger security update is required.

For detailed information about the programs that MBSA currently does not detect, see Microsoft Knowledge Base Article 306460. For more information about MBSA, visit the MBSA Web site.

What is the Enterprise Update Scanning Tool (EST)?
As part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scanning Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scanning Tool is created for a specific bulletin, customers can run the tool from a command line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.

Can I use a version of the Enterprise Update Scanning Tool (EST) to determine whether this update is required?
Yes. Microsoft has created a version of the EST that will determine if you need to apply this update. For more information about the version of the EST being released this month, see the following Microsoft Web site. For more detailed deployment information about the version of the EST being released this month, see the following Microsoft Web site.

There is also a version of this tool that SMS customers can obtain from the following Microsoft Web site. This tool may also be available for SMS customers from the SMS Web site.

Can I use Systems Management Server (SMS) to determine whether this update is required?
No. SMS uses MBSA for detection and this update is not detected by MBSA. For information about SMS, visit the SMS Web site.

However, there is a version of the EST that SMS customers can obtain that offers an integrated experience for SMS administrators from the following Microsoft Web site.

The Security Update Inventory Tool is required for detecting Microsoft Windows and other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460

For more information about SMS, visit the SMS Web site.

You can deploy this update by using the Inventory and Software Distribution feature of SMS.

MSN Messenger Vulnerability - CAN-2005-0562:

A remote code execution vulnerability exists in MSN Messenger that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system.

Mitigating Factors for MSN Messenger Vulnerability - CAN-2005-0562:

MSN Messenger, by default, does not allow anonymous people to send you messages. An attacker would first need to entice you to add them to your contacts list.

Workarounds for MSN Messenger Vulnerability - CAN-2005-0562:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • Review all of the contacts currently in your contact list and remove or block any that you do not know, do not trust or no longer need.
  • Do not agree to accept file transfers from contacts you do not know or trust.
  • Block access to MSN Messenger and Web Messenger in a corporate environment.
  • Block access to outgoing port 1863 in your corporate environment. Note MSN Messenger Service is connected through port 1863 when a direct connection is established. When a direct connection cannot be established, the MSN Messenger Service is connected through port 80.
  • Block HTTP access to gateway.messenger.hotmail.com. If you would like to block access to MSN Web Messenger you will also need to block HTTP access to webmessenger.msn.com.

    Impact of Workaround: MSN Messenger clients will not be able to connect to the MSN Messenger network

FAQ for MSN Messenger Vulnerability - CAN-2005-0562:

Is the MSN Messenger 7.0 beta affected by this vulnerability?
Yes. This vulnerability was reported after the release of the MSN Messenger 7.0 beta. Customers running the 7.0 beta version on MSN Messenger are encouraged to upgrade to the released version of the software which is not vulnerable.

What is the scope of the vulnerability?
This isa remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

What causes the vulnerability?
MSN Messenger has the ability to render and view files in the GIF image format. A malformed GIF image with an improper height and width may not be processed properly by MSN Messenger.

What is GIF?
GIF stands for Graphic Interchange Format. It is an older 256 color palette that was more compatible with the 8 bit video boards. It has since largely been replaced by the PNG and TIF graphics format.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Who could exploit the vulnerability?
An attacker would likely seek to exploit this vulnerability by convincing a user to add them to their contacts list, and sending a specially crafted emoticon or display picture.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
Yes. Customers running an affected version of MSN Messenger should install the updated version of MSN Messenger.

What does the update do?
The update removes the vulnerability by modifying the way MSN Messenger validates GIF files prior to processing them.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

How does this vulnerability relate to the PNG processing vulnerability that is corrected by MS05-009?
Both vulnerabilities affected graphics formats. However, this update addresses a new vulnerability in a different type of graphics format that was not addressed as part of MS05-009. MS05-009 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update does replace MS05-009 for MSN Messenger.

Affected Software:

For information about the specific security update for your affected software, click the appropriate link:

MSN Messenger 6.2

Prerequisites
This security update requires MSN Messenger 6.2.

Restart Requirement

This update may require you to restart your computer.

Removal Information

This update cannot be uninstalled.

Verifying Update Installation

To verify that a security update is installed on an affected system, please perform the following steps:

1. Within MSN Messenger, Click Help, then About.

2. Check the version number.

If the Version number reads 6.2.0208 or above the update has been successfully installed.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Hongzhen Zhou for reporting the MSN Messenger Vulnerability (CAN-2005-0562).

Obtaining Other Security Updates:

Updates for other security issues are available at the following locations:

Support:

  • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.

For more information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyze, Microsoft Office Detection Tool, and the Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (April 12, 2005): Bulletin published
  • V1.1 (May 11, 2005): Bulletin updated with correct file version information for MSN Messenger 6.2
  • V2.0 (January 21, 2009): Bulletin updated. Replaced the download link for MSN Messenger 6.2 with the bulletin link to MS07-054. Users may either use the specific download link in MS07-054 to upgrade, or log on to MSN Messenger service to accept the required upgrade.

Built at 2014-04-18T13:49:36Z-07:00

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft