MSN Messenger video-based exploit revealed

By on
MSN Messenger video-based exploit revealed

Security experts are advising users of MSN Messenger to be wary of untrusted web cam conversations after exploit code was posted today for a zero-day vulnerability in the instant messaging (IM) application.

The bug, rated "highly critical" by tracking firm Secunia, can be exploited when a victim accepts a malicious video from an attacker, prompting a heap-based buffer overflow.

Results may range from a system crash to arbitrary code execution.

The exploit, published on a Chinese hacker site, affects MSN Messenger versions 6 and 7. No fix is available, but Secunia’s advisory recommends affected users upgrade to Version 8, which is not impacted by the vulnerability.

A Microsoft spokesman told SCMagazine.com today that the software giant was investigating the report and that it encouraged all MSN Messenger users to upgrade to version 8.1.

SANS Internet Storm Center handler Maarten Van Horenbeeck said today on the organization’s blog that although Microsoft has not yet confirmed the vulnerability, users should not "accept untrusted video conversation sessions at this time."

The reported flaw comes on the same day that IM security provider Akonix released monthly stats showing IM threats nearly doubled from July to August.

"This is actually something new," Don Montgomery, vice president of marketing at San Diego-based Akonix, told SCMagzine.com today.

"Most of the attacks use IM as a conduit for either a payload within a file attached to the message or the socially engineered text of a message contains a poison URL."

Montgomery said attackers are catching on to the increasing corporate use of IM.

"Our thought is that using IM as a target gets more attractive as more people use IM at work," he said. "If you can infect a corporate PC inside the firewall and then propagate inside that network unmolested, you can do a lot of things."

That includes installing keyloggers or spyware or spreading spam, he said. 
Got a news tip for our journalists? Share it with us anonymously here.
Tags:
exploit messenger msn revealed security videobased

Most Read Articles

Researchers say not to use myGovID until login flaw is fixed

Researchers say not to use myGovID until login flaw is fixed
Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to

Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to
'Zerologon' Windows domain admin bypass exploit released

'Zerologon' Windows domain admin bypass exploit released
Optus, Vocus score first deals in ATO telco carve-up

Optus, Vocus score first deals in ATO telco carve-up
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

A Migration Guide For Businesses Switching Mobile Device Management Solutions
A Migration Guide For Businesses Switching Mobile Device Management Solutions
Plan your post-COVID security strategy
Plan your post-COVID security strategy
The Executive's Guide To The Future Of Work
The Executive's Guide To The Future Of Work
Government Digital Transformation Requires Customer Obsession
Government Digital Transformation Requires Customer Obsession
Master the fundamentals of AWS cost efficiency
Master the fundamentals of AWS cost efficiency

Events

Log In

Username / Email:
Password:
  |  Forgot your password?