LISTSERV - VICUG-L Archives - LISTSERV.ICORS.ORG

VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	VICUG-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	MSN Messenger vulnerable through IE bug
From:	Christopher McMillan <[log in to unmask]>
Reply To:	Christopher McMillan <[log in to unmask]>
Date:	Tue, 12 Feb 2002 14:44:19 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

MSN Messenger vulnerable through IE bug

ITworld.com 2/11/02

Joris Evers, IDG News Service, Amsterdam Bureau
Shortly after Microsoft Corp. admitted that its MSN Messenger instant
messaging program has a bug that could disclose the names and e-mail
addresses on a user's contact list, the company is being confronted with
what seems to be a bigger hole.

A malicious Web site operator can hijack a user's MSN Messenger
application and perform all tasks, including sending messages and
personal files, according to a bulletin posted on the Bugtraq mailing
list on Saturday and a warning issued by security software firm Finjan
Software Ltd. on Sunday.

To take over a user's MSN Messenger program, an attacker has to exploit
a known hole in Internet Explorer by sending specially crafted code in
an HTML (Hypertext Markup Language) e-mail or directing the user to a
Web site that contains that code, according to the security advisories.

The Internet Explorer hole, known as the Document.Open() bug, was first
discovered in December. Microsoft has yet to plug the hole. A patch was
initially published late last week, only to be removed from the Windows
Update service hours later, according to a message on Tom Gilder's Web
site (http://www.tom.me.uk/msn). Gilder wrote the Bugtraq bulletin.

Finjan expects the flaw to be exploited by many and states that an "MSN
Messenger worm" could be written based on this vulnerability. MSN
Messenger 2.21 and above on systems with Internet Explorer 5.5. and 6.0
installed are vulnerable, according to Finjan.

Users can protect themselves by disabling active scripting in Internet
Explorer or by not using MSN Messenger, which is software offered for
free by Microsoft and is a standard part of Windows XP.

Microsoft on Friday confirmed that MSN Messenger has a bug that could
disclose the names and e-mail addresses on a user's contact list to
malicious Web site operators. The company is working on an update for
MSN Messenger to fix that flaw.

Nobody at Microsoft was immediately available for comment.

Joris Evers is a correspondent for the IDG News Service.


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG