9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.953 High
EPSS
Percentile
99.3%
MSN Messenger fails to properly handle webcam streams, which may allow a remote attacker to execute arbitrary code.
MSN Messenger is an instant messaging application. Starting with version 8, MSN Messenger was renamed to Windows Live Messenger. Windows Live Messenger and some versions of MSN Messenger support the use of webcams. MSN Messenger and Windows Live Messenger appear to require user interaction to connect a webcam stream.
MSN Messenger and Windows Live Messenger contain a heap overflow in the handling of a malformed webcam streams. Exploit code for this vulnerability is publicly available.
By convincing a user to accept a webcam invitation, a remote attacker may be able to execute arbitrary code with the privileges of the user.
Apply an update
This issue is addressed by Microsoft Security Bulletin MS07-054. This update provides fixed versions of MSN Messenger 6.2, 7.0, 7.5, and Windows Live Messenger 8.0
Do not accept webcam invitations
If you are unable to install a fixed version, do not accept any webcam invitations, regardless of the source.
166521
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: August 22, 2007 Updated: August 28, 2007
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was publicly reported by team509.
This document was written by Will Dormann.
CVE IDs: | CVE-2007-2931 |
---|---|
Severity Metric: | 3.54 Date Public: |