- Free online fixes have been made available to repair a buffer overflow security vulnerability found recently in Microsoft's free MSN Chat, MSN Messenger and Microsoft Exchange Instant Messenger programs.
In a critical security bulletin released this week by Microsoft, the company said the problem is a programming flaw called an unchecked buffer that essentially would allow an attacker to overwhelm a computer by sending it more information than the program can handle. Once overwhelmed, the machine would be vulnerable to just about any code or instructions sent to it by an attacker.
Christopher Budd, security programme manager at Microsoft's Security Response Centre in Redmond, Washington, says the potential vulnerability has been found in MSN Chat control (an ActiveX control), MSN Messenger 4.5 and 4.6 (which include MSN Chat Control) and Microsoft Exchange Instant Messenger 4.5 and 4.6 (which also includes the Chat Control).
To fix the vulnerability, users of MSN Chat can log in to the website and automatically receive an update, while users of the affected MSN Messenger and Exchange programs can download updated versions of the software. A patch is also available largely for Microsoft's corporate customers that won't repair the vulnerability, but will disable the Chat program.
The problem was first reported to Microsoft in late March after it was discovered by a technician working for network security vendor eEye Digital Security in Aliso Viejo, California.
The vulnerability can be exploited through e-mail, a malicious website or through any other method where Microsoft's Internet Explorer browser is used to display HTML that an attacker supplies, including software that uses an ActiveX module, according to eEye. All users of Internet Explorer are potentially affected, according to the company, and should install the updates.
The MSN Chat control isn't installed by default with any version of Windows or Internet Explorer and would have been installed by a user, according to Microsoft. The latest Windows operating system, Windows XP, includes a Windows Messenger program that is not affected by this vulnerability, according to the company. Windows XP users would be vulnerable only if they installed the MSN Chat control from MSN sites on their own.
Budd says Microsoft engineers used a development tool called Prefab to look for other possible vulnerabilities in the programs after the problems were reported. "Ultimately, software is a human enterprise ... and people make mistakes," he says. "When we perform an investigation like this, we do our best to look for and find anything that might be related."
Eric Hemmendinger, an analyst at Aberdeen Group in Boston, says businesses should be interested in such security announcements even if they're not officially deploying these applications for their workers. "Even if the business is not using it, but people inside the business are, then they are vulnerable and the business is," Hemmendinger says.