NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 2004-q1

Alert: Microsoft Security Bulletin MS04-010 - Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)

From: Russ (Russ.CooperRC.ON.CA)
Date: Tue Mar 09 2004 - 19:08:57 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Microsoft Security Bulletin MS04-010:
Vulnerability in MSN Messenger Could Allow Information Disclosure
(838512)

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS04-010.mspx

Summary:
Version Number: V1.0
Revision Date: 03-09-2004
Impact of Vulnerability: Information Disclosure
Maximum Severity Rating: Moderate
Patch(es) Replaced: None
Caveats: None
CVE Number(s): CAN-2004-0122

Tested Software:
Affected Software:
* Microsoft MSN Messenger 6.0
<http://www.ntbugtraq.com/link/MS04-010-0.asp>
* Microsoft MSN Messenger 6.1
<http://www.ntbugtraq.com/link/MS04-010-1.asp>

Software Not Affected:
* Windows Messenger (All versions)

Technical Description:

A security vulnerability exists in Microsoft MSN Messenger. The
vulnerability exists because of the method used by MSN Messenger to
handle a file request. An attacker could exploit this vulnerability by
sending a specially crafted request to a user running MSN Messenger. If
exploited successfully, the attacker could view the contents of a file
on the hard drive without the user's knowledge as long as the attacker
knew the location of the file and the user had read access to the file.
To exploit this vulnerability, an attacker would have to know the
sign-on name of the MSN Messenger user in order to send the request.

This email is sent to NTBugtraq automagically as a service to my
subscribers. (v3)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]