----- Original Message ----- From: "Microsoft" <0_32397_165C8BD7-6727-A140-968B-75B384AF14DB_US@xxxxxxxxxxxxxxxxxxxxxxxxx> To: <ecvogel@xxxxxxxxx> Sent: Wednesday, June 12, 2002 10:02 AM Subject: Microsoft Security Bulletin MS02-022: Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661) (Version 2.0) -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661) Released: 08 May 2002 Revised: 11 June 2002 (version 2.0) Software: MSN Chat, MSN Messenger, Exchange Instant Messenger Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS02-022 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-022.asp. - ---------------------------------------------------------------------- Reason for Revision: ==================== On May 8 2002, Microsoft released the original version of this bulletin. On June 11, 2002 the bulletin was updated to announce that while the fixes issued on May 8 2002 resolved the vulnerability, they did not protect in all cases against the reintroduction of the vulnerable control. As a result, a new set of fixes is being released to ensure that systems are fully protected against the reintroduction of the vulnerable control. A new MSN Chat control, updated patch, updated version of MSN Messenger and an updated version of Exchange Instant Messenger have been made available. Customers who have applied any of the fixes released on May 8, 2002 are encouraged to consider applying the updated fixes. Issue: ====== The MSN Chat control is an ActiveX control that allows groups of users to gather in a single, virtual location online to engage in text messaging. The control is offered for download as a single ActiveX control from a number of MSN sites. In addition, it is included with MSN Messenger since version 4.5 and Exchange Instant Messenger. While the MSN Chat control is included with these products it is not used to provide Instant Messaging functionality, but rather to add chat functionality to those products. An unchecked buffer exists in one of the functions that handles input parameters in the MSN Chat control. A security vulnerability results because it is possible for a malicious user to levy a buffer overrun attack and attempt to exploit this flaw. A successful attack could allow code to run in the user's context. It would be possible for an attacker to attempt to exploit this vulnerability either through a malicious web site or through HTML email. However, Outlook Express 6.0 and the Outlook Email Security Update, which is available for Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such attempts through their default security settings. Mitigating Factors: ==================== - A successful attack would require that the user have installed the MSN Chat control, MSN Messenger, or Exchange Instant Messenger. - The MSN Chat control does not install with any version of Windows or Internet Explorer by default. - Windows Messenger which ships with Windows XP does not include the MSN Chat control. Windows XP users would be vulnerable only if they have chosen to install the MSN Chat control from MSN sites. - The HTML email attack vector is blocked by the following Microsoft mail products: - Outlook 98 and Outlook 2000 with the Outlook Email Security Update - Outlook 2002 - Outlook Express. This is because these products all open HTML email in the Restricted Sites zone by default. Risk Rating: ============ - Internet systems: Low - Intranet systems: Low - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-022.asp for information on obtaining this patch. Acknowledgment: =============== - eEye Digital Security (http://www.eeye.com) - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPQZTWY0ZSRQxA/UrAQHpjAgAmXbWZiDgPukry+5gdrlHX8tYaOP9XPge KJrEC+iigp4l8oYEQ3IcFQLfZ9yia7tCHbThvGqPpiLmVAPuoidHUGU2LAZfVBXd r8n/1MuoFjZsQwQrdYc1iz/Qe6CD2W2rzdfI96vHyp6D0mjzdp9M3KCkosuZ0NF7 qaHtba/UGux4AcZM1vM8YOuwe0Ub2lO/HNaZJdB6S65Orhkff0bKoW31LXK/5eom s0gHGpqGpBfBWMAW4Keda+GjbuxlDBhqeyAWzZXt9bP9DlYVRX0Vbn+TIIOPzFYn DxNzzjnt4xmlC19QcYLXXjTapW6+5PmKg3580i1BCOzBJWx90SwoXg== =KPt1 -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Send an email to unsubscribe to the Service by following these steps: a. Send an e-mail to securrem@xxxxxxxxxxxxxx The subject line and the message body are not used to process the subscription request, and can be anything you like. b. Send the e-mail. c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK" in the message body. (Without the quotes). Send the reply. d. You will receive an e-mail telling you that your name has been removed from the subscriber list. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. --------------------------------------------------------------------------- ----- Computer Talk Shop http://www.computertalkshop.com Un-subscribe/Vacation, http://questforcertification.com/cts/list_options.htm List HowTo: http://questforcertification.com/cts/faq To join Computer Talk Shop's off topic list, please goto: http://questforcertification.com/cts/other_cts_lists.htm --------------------------------------------------------------------------- ------