The bug, rated "highly critical" by tracking firm Secunia, can be exploited when a victim accepts a malicious video from an attacker, prompting a heap-based buffer overflow.
Results may range from a system crash to arbitrary code execution.
The exploit, published on a Chinese hacker site, affects MSN Messenger versions 6 and 7. No fix is available, but Secunia’s advisory recommends affected users upgrade to Version 8, which is not impacted by the vulnerability.
A Microsoft spokesman told SCMagazine.com today that the software giant was investigating the report and that it encouraged all MSN Messenger users to upgrade to version 8.1.
SANS Internet Storm Center handler Maarten Van Horenbeeck said today on the organization’s blog that although Microsoft has not yet confirmed the vulnerability, users should not "accept untrusted video conversation sessions at this time."
The reported flaw comes on the same day that IM security provider Akonix released monthly stats showing IM threats nearly doubled from July to August.
"This is actually something new," Don Montgomery, vice president of marketing at San Diego-based Akonix, told SCMagzine.com today.
"Most of the attacks use IM as a conduit for either a payload within a file attached to the message or the socially engineered text of a message contains a poison URL."
Montgomery said attackers are catching on to the increasing corporate use of IM.
"Our thought is that using IM as a target gets more attractive as more people use IM at work," he said. "If you can infect a corporate PC inside the firewall and then propagate inside that network unmolested, you can do a lot of things."
That includes installing keyloggers or spyware or spreading spam, he said.
MSN Messenger video-based exploit revealed
By
Dan Kaplan
on
Aug 29, 2007 10:40AM

Security experts are advising users of MSN Messenger to be wary of untrusted web cam conversations after exploit code was posted today for a zero-day vulnerability in the instant messaging (IM) application.
Got a news tip for our journalists? Share it with us anonymously here.
Sponsored Whitepapers
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future

Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection