[PCWorks] Windows Messenger ActiveX Control Vulnerability

  • From: "Clint Hamilton-PCWorks Admin" <PCWorks@xxxxxxxxxxxxxxxxxxxxxxxx>
  • To: "PCWorks@xxxxxxxxxxxxx" <pcworks@xxxxxxxxxxxxx>
  • Date: Wed, 13 Aug 2008 00:19:05 -0500

TITLE:
Microsoft Windows Messenger ActiveX Control Vulnerability

SECUNIA ADVISORY ID:
SA31446

VERIFY ADVISORY:
http://secunia.com/advisories/31446/

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data, Exposure of sensitive information

WHERE:
From remote

SOFTWARE:
Microsoft Windows Messenger 5.x
http://secunia.com/product/40/
Microsoft Windows Messenger 4.x
http://secunia.com/product/617/

DESCRIPTION:
A vulnerability has been reported in Microsoft Windows 
Messenger,
which can be exploited by malicious people to gain knowledge of
sensitive information.

The vulnerability is caused due to the Messenger.UIAutomation.1
ActiveX control being marked "safe-for-scripting". This allows
changing state, obtain contact information and a user's login 
ID, log
on remotely to a user's Messenger client as the user, as well 
as
initiating audio and video chat sessions without user 
interaction.

SOLUTION:
Apply patches.

-- Windows Messenger 4.7 --

Windows XP SP2/SP3:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8f588f7e-c4ed-42a0-b157-54b1eda60474

Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyID=a5fc5457-832f-4ee8-be60-4cc8518d1c10

Windows Server 2003 SP1/SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyID=302315a8-ccb2-47c2-9104-b8e1d1f49aa0

Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyID=be94d138-7d7b-489e-baa6-e214950be6b9

Windows Server 2003 with SP1/SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e4b72618-536b-4a21-bd91-d91be9ca24e5


-- Windows Messenger 5.1 --

Windows 2000 SP4:
http://www.microsoft.com/downloads/details.aspx?FamilyID=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774

Windows XP SP2/SP3:
http://www.microsoft.com/downloads/details.aspx?FamilyID=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774

Windows XP Professional x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyID=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774

Windows Server 2003 SP1/SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyID=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774

Windows Server 2003 x64 Edition (optionally with SP2):
http://www.microsoft.com/downloads/details.aspx?FamilyID=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774

Windows Server 2003 with SP1/SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?FamilyID=A8D9EB73-5F8C-4B9A-940F-9157A3B3D774

ORIGINAL ADVISORY:
MS08-050 (KB955702):
http://www.microsoft.com/technet/security/Bulletin/MS08-050.mspx


=========================
The list's FAQ's can be seen by sending an email to 
PCWorks-request@xxxxxxxxxxxxx with FAQ in the subject line.

To unsubscribe, subscribe, set Digest or Vacation to on or off, go to 
//www.freelists.org/list/pcworks .  You can also send an email to 
PCWorks-request@xxxxxxxxxxxxx with Unsubscribe in the subject line.  Your 
member list settings can be found at 
//www.freelists.org/cgi-bin/lsg2.cgi/l=pcworks .  Once logged in, you have 
access to numerous other email options.  

The list archives are located at //www.freelists.org/archives/pcworks/ .  
All email posted to the list will be placed there in the event anyone needs to 
look for previous posts.
-zxdjhu-

Other related posts:

  • » [PCWorks] Windows Messenger ActiveX Control Vulnerability
  1. Home
  2. pcworks
  3. Archive
  4. 08-2008