Exploit code for a “highly critical” vulnerability in MSN Messenger has been posted to a Chinese-language forum, prompting Microsoft to urge all users to immediately migrate to Windows Live Messenger 8.1.
The exploit, available here, is caused by an error in the handling of video conversations and can be exploited to cause a heap-based buffer overflow via specially crafted data sent to a user.
Secunia warns that successful exploitation may allow execution of arbitrary code, but requires that the victim accepts the incoming Webcam invitation.
“This is under investigation,” a Microsoft spokesman said.
“Our investigation so far shows that the latest version, Windows Live Messenger 8.1, is not vulnerable to this issue,” he added, urging Windows Live Messenger 8.0 users to upgrade to Messenger 8.1.
“We have encouraged customers to upgrade to Windows Live Messenger 8.1 beginning February 2007,” the spokesman said.
Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
Windows Live Messenger is the successor to MSN Messenger, the popular text and video chatting tool offered by Redmond’s MSN division.MSN, Messenger, MSN Messenger, Webcam, Flaw, Vulnerability, Secunia, Exploit
Source:→ ZDNet Blog