search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft MSN Messenger GIF processing buffer overflow

Vulnerability Note VU#633446

Original Release Date: 2005-04-12 | Last Revised: 2005-04-12

Overview

MSN Messenger clients before version 7.0 will allow remote attackers to take control of a computer if malicious GIF files are processed.

Description

Microsoft MSN Messenger is an instant messaging application that allows users to collaborate with people using text messages, voice and video communication, or by sending files. There is a buffer overflow vulnerability in a function MSN Messenger uses to process Graphic Interchange Format (GIF) image files. By sending a specially crafted GIF image file with unexpected height and width parameters, a remote attacker in a victim's contacts list could take control of a computer with the privileges of the affected user. Examples of GIF image files MSN Messenger typically processes include emoticons and display pictures.

Please note the updates from Microsoft in MS05-022 addressing this issue supercede those in MS05-009. MSN Messenger 7.0 BETA is affected by this issue.

Impact

Remote attackers may execute arbitrary code with the privileges of affected users. Microsoft notes MSN Messenger does not by default anonymous user messages. An attecker must be in a victim's contacts list.

Solution

Upgrade to either MSN Messenger 6.2.208 or MSN Messenger 7.0. Note MSN Messenger 7.0 BETA is affected by this issue.

Non-technical users should read the following document:

MSN Messenger Update Summary for April 2005
http://www.microsoft.com/security/bulletins/200504_msnmessenger.mspx

More technical details can be found in the following security bulletin from Microsoft:

Microsoft Security Bulletin MS05-022
Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597)
http://www.microsoft.com/technet/security/Bulletin/MS05-022.mspx

Workarounds


Microsoft has included the following potential workarounds in their technical security bulletin, MS05-022, about this issue:

Workarounds for MSN Messenger Vulnerability - CAN-2005-0562:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Review all of the contacts currently in your contact list and remove or block any that you do not know, do not trust or no longer need.
Do not agree to accept file transfers from contacts you do not know or trust.
Block access to MSN Messenger and Web Messenger in a corporate environment.
Block access to outgoing port 1863 in your corporate environment. Note MSN Messenger Service is connected through port 1863 when a direct connection is established. When a direct connection cannot be established, the MSN Messenger Service is connected through port 80.
Block HTTP access to gateway.messenger.hotmail.com. If you would like to block access to MSN Web Messenger you will also need to block HTTP access to webmessenger.msn.com.

Impact of Workaround: MSN Messenger clients will not be able to connect to the MSN Messenger network

Vendor Information

633446
 
Affected   Unknown   Unaffected

Microsoft Corporation

Updated:  April 12, 2005

Status

  Vulnerable

Vendor Statement

Non-technical users should read the following document:

MSN Messenger Update Summary for April 2005
http://www.microsoft.com/security/bulletins/200504_msnmessenger.mspx


For more technical details, please see the following security bulletin from Microsoft:

Microsoft Security Bulletin MS05-022
Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597)
http://www.microsoft.com/technet/security/Bulletin/MS05-022.mspx

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Microsoft has thanked Hongzhen Zhou in technical security bulletin MS05-022

This document was written by Jeffrey S. Havrilla.

Other Information

CVE IDs: CVE-2005-0562
Severity Metric: 23.63
Date Public: 2005-04-12
Date First Published: 2005-04-12
Date Last Updated: 2005-04-12 22:33 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.