Microsoft Security Bulletin MS05-022 Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597)
Issued: April 12, 2005 Version: 1.0
Who should read this document: Customers who use MSN Messenger
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.
Security Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.
Tested Software and Security Update Download Locations:
Affected Software: •
MSN Messenger 6.2 – Download the update
Non-Affected Software: •
MSN Messenger 7.0
The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site. General Information
This update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Severity Ratings and Vulnerability Identifiers:
Impact of Vulnerability
MSN Messenger 6.2
MSN Messenger Vulnerability - CAN-2005-0562
Remote Code Execution
Aggregate Severity of All Vulnerabilities
This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Top of sectionTop of section
Frequently asked questions (FAQ) related to this security update
What updates does this release replace? This security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table:
MSN Messenger 6.2
Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required? No. MBSA does not support MSN Messenger, and will not detect whether the update is required for the affected software. However, Microsoft has developed a version of the Enterprise Update Scanning Tool (EST) that will help customers determine if the MSN Messenger security update is required.
For detailed information about the programs that MBSA currently does not detect, see Microsoft Knowledge Base Article 306460. For more information about MBSA, visit the MBSA Web site.
What is the Enterprise Update Scanning Tool (EST)? As part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scanning Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scanning Tool is created for a specific bulletin, customers can run the tool from a command line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.
Can I use a version of the Enterprise Update Scanning Tool (EST) to determine whether this update is required? Yes. Microsoft has created a version of the EST that will determine if you need to apply this update. For more information about the version of the EST being released this month, see the following Microsoft Web site. For more detailed deployment information about the version of the EST being released this month, see the following Microsoft Web site.
There is also a version of this tool that SMS customers can obtain from the following Microsoft Web site. This tool may also be available for SMS customers from the SMS Web site.
Can I use Systems Management Server (SMS) to determine whether this update is required? No. SMS uses MBSA for detection and this update is not detected by MBSA. For information about SMS, visit the SMS Web site.
However, there is a version of the EST that SMS customers can obtain that offers an integrated experience for SMS administrators from the following Microsoft Web site.
The Security Update Inventory Tool is required for detecting Microsoft Windows and other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460
For more information about SMS, visit the SMS Web site.
You can deploy this update by using the Inventory and Software Distribution feature of SMS. Top of sectionTop of section
MSN Messenger Vulnerability - CAN-2005-0562:
A remote code execution vulnerability exists in MSN Messenger that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system.
Mitigating Factors for MSN Messenger Vulnerability - CAN-2005-0562:
MSN Messenger, by default, does not allow anonymous people to send you messages. An attacker would first need to entice you to add them to your contacts list. Top of sectionTop of section
Workarounds for MSN Messenger Vulnerability - CAN-2005-0562:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. •
Review all of the contacts currently in your contact list and remove or block any that you do not know, do not trust or no longer need. •
Do not agree to accept file transfers from contacts you do not know or trust. •
Block access to MSN Messenger and Web Messenger in a corporate environment. •
Block access to outgoing port 1863 in your corporate environment. Note MSN Messenger Service is connected through port 1863 when a direct connection is established. When a direct connection cannot be established, the MSN Messenger Service is connected through port 80. •
Block HTTP access to gateway.messenger.hotmail.com. If you would like to block access to MSN Web Messenger you will also need to block HTTP access to webmessenger.msn.com.
Impact of Workaround: MSN Messenger clients will not be able to connect to the MSN Messenger network Top of sectionTop of section
FAQ for MSN Messenger Vulnerability - CAN-2005-0562:
Is the MSN Messenger 7.0 beta affected by this vulnerability? Yes. This vulnerability was reported after the release of the MSN Messenger 7.0 beta. Customers running the 7.0 beta version on MSN Messenger are encouraged to upgrade to the released version of the software which is not vulnerable.
What is the scope of the vulnerability? This isa remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
What causes the vulnerability? MSN Messenger has the ability to render and view files in the GIF image format. A malformed GIF image with an improper height and width may not be processed properly by MSN Messenger.
What is GIF? GIF stands for Graphic Interchange Format. It is an older 256 color palette that was more compatible with the 8 bit video boards. It has since largely been replaced by the PNG and TIF graphics format.
What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability? An attacker would likely seek to exploit this vulnerability by convincing a user to add them to their contacts list, and sending a specially crafted emoticon or display picture.
What systems are primarily at risk from the vulnerability? Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability? Yes. Customers running an affected version of MSN Messenger should install the updated version of MSN Messenger.
What does the update do? The update removes the vulnerability by modifying the way MSN Messenger validates GIF files prior to processing them.
When this security bulletin was issued, had this vulnerability been publicly disclosed? No. Microsoft received information about this vulnerability through responsible disclosure.
How does this vulnerability relate to the PNG processing vulnerability that is corrected by MS05-009? Both vulnerabilities affected graphics formats. However, this update addresses a new vulnerability in a different type of graphics format that was not addressed as part of MS05-009. MS05-009 helps protect against the vulnerability that is discussed in that bulletin, but does not address this new vulnerability. This update does replace MS05-009 for MSN Messenger. Top of sectionTop of section Top of sectionTop of section Top of sectionTop of section
Security Update Information
For information about the specific security update for your affected software, click the appropriate link:
MSN Messenger 6.2
Prerequisites This security update requires MSN Messenger 6.2.
This update may require you to restart your computer.
This update cannot be uninstalled.
Verifying Update Installation
To verify that a security update is installed on an affected system, please perform the following steps:
Within MSN Messenger, Click Help, then About.
Check the version number.
If the Version number reads 6.2.208 or above the update has been successfully installed. Top of sectionTop of section Top of sectionTop of section
Microsoft thanks the following for working with us to help protect customers: •
Hongzhen Zhou for reporting the MSN Messenger Vulnerability (CAN-2005-0562).
Obtaining Other Security Updates:
Updates for other security issues are available at the following locations: •
Security updates are available in the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch." •
Updates for consumer platforms are available at the Windows Update Web site.
Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Microsoft Software Update Services
Microsoft Baseline Security Analyzer (MBSA)
Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.
Software Update Services:
By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.
For more information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.
Systems Management Server:
Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.
Note SMS uses the Microsoft Baseline Security Analyze, Microsoft Office Detection Tool, and the Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
V1.0 April 12, 2005: Bulletin published