Display Picture vulnerability discovered in MSN Messenger 6

[Amailer]

http://mess.be/ wrote:

We have obtained new details on the previously announced Microsoft Security Bulletins. Core Security Technologies today published a vulnerability in MSN Messenger clients up to version 6. According to the report, using a specially-crafted MSN Display Picture, an attacker could trigger a buffer overflow vulnerability on a contact's computer and execute arbitrary code.

The attack would travel through the established chat session and would pass unnoticed by firewalls, network intrusion detection systems and even host-based personal firewalls and antivirus software. Windows Messenger and Windows Media Player are also affected by this vulnerability.

"This is a critical security flaw since it directly affects more than 130 million users and because the attack is very likely to go unnoticed by the several layers of security countermeasures commonly used today," said Ivan Arce, CTO at Core Security Technologies. "Since initially reporting the flaw, we have been working closely with [Microsoft] and we are pleased to see that a fix is now available."

NOTE: MSN Messenger 7 BETA is NOT vulnerable. Download it here.

>> Join the February Security Bulletins webast for a brief overview of the technical details followed by an extensive Q&A session. Tomorrow at this time and recommended to IT professionals only.

Yeah so this could be the reason why msn is down for many people.
Also you will be asked to do 9 updates by windows updater XD

[Tony]

it's a scam to get people to start using MSN 7

anyways - wouldn't the user first have to add the attacker to their contact list for the vulnerability to open up?

[Amailer]

Well it can travel through conversations so if someone added the attacker and that someone is somehow connected to you by someone elses... list.. yeah you'll get it. Anyhow.. is it just me or is msn.com and http://www.imagine-msn.com/messenger/ and etc screwed up? (links-- errors)

[Tony]

msn.com is noticably slow
messanger times out (well... my patience timed out and I closed the window)

as for the MSN's DP vulnerability -- I thought the person had to be on your list for DB to be displayed. Though I suppose it could be forced from the other side..

[md]

I think something else is affecting MSN, acuse DPs wouldn't affect the servers...

[Tony]

well there's that Bropia.F/Agabot.ajc worms (link) from few days ago. I'm suspecting that they forced the network down. Seems that webserver side of MSN division is affected as well.

[MihaiG]

is that how you got in my comp tony? adn martin grrr

[Martin]

Come now, that would be amateur.

[Amailer]

martin wrote:

Come now, that would be amateur.

LOL I think its time for the release! Come on!

[Dan]

Pff, i have been telling peoleop the DP in msn have been wrong since the day they came out.......that cases many problems and secuity realted issues. hostly i think msn whould probly be better off w/o them, but i run linux so i am safe from this crazyness =p

[Tony]

Hacker Dan wrote:

but i run linux so i am safe from this crazyness

me too - my computer won't boot up

[Martin]

Amailer wrote:

martin wrote:

Come now, that would be amateur.

LOL I think its time for the release! Come on!

Shhh!

Not yet.

[Drakain Zeil]

Ugh, the new WINKS!!! junk can only bring nothing good to the world...

Install Linux, get KDE running, run Kopete. Problem solved.