Monday, September 24, 2007

MSN and MS-Agent exploits

There are two rated high vulnerabilities exist in Microsoft software that's publicly disclosed and have the patches released!

One of them affecting Windows OS is explained in http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx for MS Agent vulnerability which pretty much affects those using Windows 2000 with SP4 (most likely a lot of W2K users). This attack requires access to a vulnerable (or malicious) website which you choose to access. Mitigation factors include disabling MSAgent or otherwise, more effectively, do not get too "friendly" on the WWW and get that patch.

MSN Messenger (and Windows Live Messenger) is also vulnerable to an exploit by crafting a malicious code inside the the request to ACCEPT AN INVITATION FOR VIDEO CHAT. I regard this as quite dangerous as this particular type of vulnerability can easily be scripted and thus spawn the network for vulnerable sources. MS KB article here explains it all http://www.microsoft.com/technet/security/Bulletin/MS07-054.mspx. This particular attack however does require a user interaction where an "accept" response is required for the exploitation to successfully take place. Also, when compromised, if you turn on UAC in Vista, most likely the action to allow administrative rights will be triggered by UAC. This is when you say no if all else fails up this point.

Does this affect you? Most likely if you use Windows 2000 or Windows Live Messenger or both.

How bad is it? Remote exploitation is possible and can run in the context of a currently logged on user.



Both problems have been reported responsibly and Microsoft has publicly released related patches. Please update your software.

No comments: