Operating System:

Published:

08 May 2002

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2002.218 -- Microsoft Security Bulletin MS02-022
 Unchecked Buffer in MSN Chat Control Can Lead to Code Execution (Q321661)
                                9 May 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                MSN Messenger 4.5
                        MSN Messenger 4.6
                        Exchange Instant Messenger 4.5
                        Exchange Instant Messenger 4.6
                        MSN Chat Control
Vendor:                 Microsoft
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Unchecked Buffer in MSN Chat Control Can Lead to Code
            Execution (Q321661)
Date:       08 May 2002
Software:   MSN Chat, MSN Messenger, Exchange Instant Messenger
Impact:     Run Code of Attacker's Choice
Max Risk:   Critical
Bulletin:   MS02-022

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-022.asp.
- - ----------------------------------------------------------------------

Issue:
======
The MSN Chat control is an ActiveX control that allows groups of
users to gather in a single, virtual location online to engage in
text messaging. The control is offered for download as a single
ActiveX control from a number of MSN sites. In addition, it is
included with MSN Messenger since version 4.5 and Exchange Instant
Messenger. While the MSN Chat control is included with these
products it is not used to provide Instant Messaging functionality,
but rather to add chat functionality to those products. 

An unchecked buffer exists in one of the functions that handles
input parameters in the MSN Chat control. A security
vulnerability results because it is possible for a malicious user
to levy a buffer overrun attack and attempt to exploit this flaw.
A successful attack could allow code to run in the user's context. 

It would be possible for an attacker to attempt to exploit
this vulnerability either through a malicious web site or through
HTML email. However, Outlook Express 6.0 and the
Outlook Email Security Update, which is available for
Outlook 98 and Outlook 2000, Outlook 2002 and can thwart such
attempts through their default security settings.

Mitigating Factors:
====================
 - A successful attack would require that the user have installed
   the MSN Chat control, MSN Messenger, or
   Exchange Instant Messenger. 

 - The MSN Chat control does not install with any version of
   Windows or Internet Explorer by default.
 
 - Windows Messenger which ships with Windows XP does not
   include the MSN Chat control. Windows XP users would be
   vulnerable only if they have chosen to install the MSN Chat
   control from MSN sites. 

 - The HTML email attack vector is blocked by the following
   Microsoft mail products: 
    - Outlook 98 and Outlook 2000 with the 
      Outlook Email Security Update
    - Outlook 2002
    - Outlook Express. 
   This is because these products all open HTML email in the
   Restricted Sites zone by default.

Risk Rating:
============
 - Internet systems: Low
 - Intranet systems: Low
 - Client systems: Critical

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-022.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - eEye Digital Security (http://www.eeye.com)

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPNlrQ40ZSRQxA/UrAQFu3wf/XjuQfnZ/nIrxVHyktSTqRxfeqNe5WR5k
6uAlV7GjauIrJx0/1iYHs/R1xUi5s+XnbiPOkuqvQCYRzuLmC95mTVx9hsjHzVa7
uIgewU/tl4RMb86Sxd0MHDmUrJc7yrCXcQJ9vMoLrHuvWDimx2Q/GBUh6PeHLfGQ
YseLfdpjfZsT72v84Z4jd1qoKMZkye5Yfd25zvl2bKK1h9TH66yverPLqGiCEbqz
MdRwrwY1pQ4trhYheE8ckfFQ6/kayROgxzeY7bahRAESbP/b8Z0lbOgk7JNYfutJ
GrDMCsP5Jfap4EqM7AarYJebOAJWu9JUvZw1OEoS7hhsmA8yIFfzxA==
=0AHk
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPNphBSh9+71yA2DNAQFO2AQAhf3Mm+2Zuzzr7NEr+GEe1cNvgdN6WVkw
P70I4xsgELDRB1QscGonNZ2c6ukl3AQFWPTpre2wIMqxXo2UlhWDnbbyGAAol9+E
JBHK+MemAjnt3w8kjEViyDInFDwDj32tAr0/k+nQ789ipvO4Yb+S0DsD+QubY7aw
UNO023EKCJA=
=VEWd
-----END PGP SIGNATURE-----