|
 |
|
 |
| Sunday, September 05, 2010
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
SullyC |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
53 |
 |
People Online: |
 |
Visitors:
6 |
 |
Members:
0 |
 |
Total:
6 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 06/19/2002 9:33 AM |
|
| The Microsoft Chat Control contains an unchecked buffer that could allow a malicious user to run code of his choice on your machine and do anything that you could do.
What Is It?
The Microsoft Chat Control is an ActiveX control that allows two or more people to "chat" or write text messages to each other in a virtual "room" as if they were sitting around the living room chatting over coffee. Though the control is not technically a part of MSN Messenger, it adds this chat capability to Messenger. The control is offered as a free download from a number of MSN Web sites and included with MSN Messenger version 4.5 and later and Exchange Instant Messenger version 4.5 and later.
Messenger itself is not directly affected by this issue and the ActiveX control is not installed with any of these products by default. You only have the control installed if you explicitly installed it.
An attacker could exploit this vulnerability in one of two ways.
The attacker could lure you to a malicious Web site which would open in your Web browser. By default, this site would open in the Internet security zone, in which your security restrictions are usually sufficiently relaxed to permit script and some other types of code to run, perhaps without any warning to you.
The attacker could send you an email message that contains the malicious code. If you have Outlook Express 6.0, Outlook 98 or Outlook 2000 with the Email Security Update installed, or Outlook 2000, the default security settings would block this route of attack.
What Should You Do?
If you have the MSN Chat Control installed (even if you do not use it actively or often), you should visit the appropriate Web page from the list below and follow the instructions given there for downloading and installing the update.
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=38790 is the patched control by itself.
http://messenger.msn.com/download/download.asp?client=1&update=1 is the page for updating MSN Messenger, including the corrected control.
http://www.microsoft.com/Exchange/downloads/2000/IMclient.asp is the page for updating Exchange Instant Messenger, including the corrected control.
If you are running Windows XP, you should be aware that MSN Messenger is probably installed. Even if you do not use Messenger today, it would be prudent to update it now so that the update will be in place should you later decide to use it.
References
Microsoft Product Security Bulletin "Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661)", available on the Web at http://www.microsoft.com/technet/security/bulletin/MS02-022.asp.
CERT/CC "CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX", available at http://www.cert.org/advisories/CA-2002-13.html.
This concludes this VirusWarning notice.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|