MSN Messenger flaw allows hard-drive access

By Michael Kanellos
Posted on ZDNet News: Mar 9, 2004 9:28:00 PM

Two of the vulnerabilities are considered medium-level risks, while the third presents a medium- to low-level risk, according to security software specialist Symantec and others. Three separate patches to repair the flaws--which affect different pieces of software--have been released and are available for download. The identification of the vulnerabilities came Tuesday as part of Microsoft's regular security bulletin process.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Later, the software giant will also send notices about the Messenger patch through MSN Messenger itself, said Stephen Toulouse, security program manager for the Microsoft Security Response Center.

The vulnerability in MSN Messenger versions 6.0 and 6.1 could let an attacker view the contents of a victim's hard drive during a chat session with the victim.

Attackers "could view files through MSN Messenger on their computer," Toulouse said. "They can do it, and you are not necessarily aware of what they are doing."

Users who do not block anonymous callers are most vulnerable to the exploit. If anonymous callers are blocked, the attacker has to be identified on the victim's address list. To obtain particular information, such as credit card numbers, attackers have to troll the hard drive, said Toulouse.

Oliver Friedrichs, senior manager for Symantec's security response team, said that victims don't actually have to be in conversation with the attacker. As long as the user permits anonymous callers to send messages, an attacker could come in and peruse Quicken files or other identifiable files that could likely contain sensitive data. However, most people block that function, so random attacks will likely be rare, he said.

The second medium-level risk could allow a hacker to take over a system by executing Internet Explorer code through a flaw in Outlook 2002.

A computer has to be configured in a particular manner, though, said Toulouse. The user has to set "Outlook Today" as the Outlook home page.

"If you go to Outlook through your in-box, you are protected," he said.

The third flaw allows attackers to instigate a denial-of-service attack against servers running Windows Media Services 4.1. The vulnerability exists because of the way Windows Media Station Service and Windows Media Monitor Service, components of Windows Media Services, handle TCP/IP connections. If an attacker sent a particular sequence of packets to a server running Media Services 4.1, it could interrupt any video streams.