Although no attacks based on the hole have been reported, the security community is bracing itself for at least some. MSN Messenger is used by over 130 million people worldwide, making it an attractive target. "I think we can expect to start seeing malicious activity soon," says Core Security product manager Max Caceres.
By Elizabeth Millard
February 11, 2005 10:50AM
Malicious code that can be used to take advantage of a hole in Microsoft's MSN Messenger has been published online, prompting widespread security advisories.
The code takes advantage of a flaw in an MSN Messenger component used to display Portable Network Graphics (PNG) files. Called "libpng," the component allows the viewing of icons, also known as "avatars."
Researchers at Boston-based Core Security discovered the hole in August and reported it to Microsoft then. Microsoft issued a patch on Tuesday for the vulnerability, and within hours the exploit code was online, said Core product manager Max Caceres.
"It was surprising, how fast it got put online," he told NewsFactor. "You don't usually see exploit code go into the wild within just three hours. That makes it kind of scary."
Plan of Attack
The vulnerability can be exploited when a Messenger user starts an online conversation with another instant messaging contact.
The avatar graphic is sent over the same channel used for text messages, so a specially crafted PNG image with a worm would trigger a buffer overflow on a user's system, allowing for arbitrary code execution.
Core has noted that an attack would travel through the chat session and pass unnoticed by firewalls, network intrusion systems and even host-based personal firewalls and antivirus software.
The threat is considered critical, said Caceres, because it requires no user interaction, such as downloading files to a hard drive.
Instead, merely opening the MSN Messenger application could launch an attack, without a user's knowledge. Especially worrisome is how a worm could wiggle through security measures.
"The attack is very likely to go unnoticed by the several layers of security countermeasures that are commonly used," Caceres said.
Although no attacks based on the hole have been reported, Caceres said the security community is bracing itself for at least some. MSN Messenger is used by over 130 million people worldwide, making it an attractive target.
"This vulnerability could allow for the launch of a serious worm," he noted. "I think we can expect to start seeing malicious activity soon."
Core, as well as other security firms and Microsoft, are urging users to download and install the software patch for the vulnerability, available on Microsoft's site.
Source: NewsFactor Network