New risk: Bogus MSN Messenger video invites
- 29 August, 2007 20:42
Last week, it was a webcam flaw in Yahoo Messenger that could leave you vulnerable to attack if you clicked a link to a malicious video conversation invitation. Now, researchers have found a similar hole in Microsoft's MSN Messenger.
(As with the Yahoo Messenger flaw, Ryan Naraine, who publishes the Zero Day blog, was one of the first to spot this one.)
Unlike the Yahoo Messenger hole -- which has been patched -- there is already proof-of-concept exploit code available in what SecurityFocus chillingly calls an "exploit pack." However, the discoverer's site -- team509 -- is mostly in Chinese.
Danish security researcher Secunia rates this as "highly critical" -- their second-highest severity rating. The affected versions are MSN Messenger 7.x and 6.x. Microsoft confirmed it is "investigating" the hole and in the meantime is urging users to upgrade from MSN Messenger to Windows Live Messenger 8.1, which has been out since February.
An e-mailed statement attributed to Christopher Budd, security program manager for Microsoft, states:
"Our investigation so far shows that the latest version, Windows Live Messenger 8.1, is not vulnerable to this issue .... As a best practice, we always recommend running the most recent version of Windows Live Messenger for the latest security and reliability updates."
Like the Yahoo Messenger flaw, you can be attacked if you click to accept a video conversation invitation that's been booby trapped. The exploit is similar too -- it's another buffer overflow vulnerability. So as always, think before you click.
And while we're waiting for Microsoft to patch this one, it's probably a good idea to upgrade to Windows Live Messenger 8.1.