Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20359
HistoryAug 15, 2008 - 12:00 a.m.

Microsoft Windows Messenger Remote Illegal Access Vulnerability

2008-08-1500:00:00
vulners.com
15
JSON

Microsoft Windows Messenger Remote Illegal Access Vulnerability

by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net

Summary:

A remote illegal access vulnerability exists in Microsoft Windows

Live Messenger. A vicious attacker can control the Live Messenger via
constructing a malicious web page, once the victim visits this page,
the attacker can control the local Live Messenger, including
disclosing personal sensitive information of Live Messenger,
transferring local audio and video information to remote and so on.

Affected Software Versions:

Microsoft Windows Live Messenger 4.7 on Windows XP and Windows Server 2003
Microsoft Windows Live Messenger 5.1 on Windows 2000, Windows XP

and Windows Server 2003

Details:

When installing Windows XP, an old edition of MSN Messenger is

installed automatically. The old edition opens the MSN API to develop
as an ActiveX Control, and marks it with "safe".

By using this ActiveX Control, we can control the local MSN

Messenger, for instance: change state, gain current login ID, steal
contact-person's information, send mail using the victim's name, and
so on, all of these functions given by this feature can be considered
to be security problems.

Even the user installs a higher edition of MSN Messenger(Windows

Live Messenger), this ActiveX control will not be removed. By using
this we will still be allowed to visit the local Live Messenger.

Solution:

Microsoft has released an advisory for this vulnerability which

can be found at:

http://www.microsoft.com/technet/security/bulletin/ms08-050.mspx

CVE Information:

CVE-2008-0082

Disclosure Timeline:

2007.05.31        Vendor notified
2007.05.31        Vendor responded
2008.XX.XX        Advisory delayed by the vendor many times
2008.08.12        Coordinated public disclosure

–EOF–

Related

checkpoint_advisories 2
securityvulns 2
seebug 2
prion 1
openvas 2
cve 1
nessus 1
checkpoint_advisories
checkpoint_advisories
MSN Messenger UIAutomation ActiveX Control Information Disclosure (MS08-050; CVE-2008-0082)
2008-06-07 00:00:00
MSN Messenger UIAutomation ActiveX Control Information Disclosure (MS08-050) - Ver2 (CVE-2008-0082)
2014-03-03 00:00:00
securityvulns
securityvulns
Microsoft Messenger unauthorized ActiveX access
2008-08-15 00:00:00
Microsoft Security Bulletin MS08-050 – Important Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)
2008-08-12 00:00:00
seebug
seebug
Microsoft Windows Messenger ActiveX控件信息泄露漏洞(MS08-050)
2008-08-15 00:00:00
Microsoft Windows Messenger Remote Illegal Access Vulnerability
2008-08-20 00:00:00
prion
prion
Code injection
2008-08-13 00:41:00
openvas
openvas
Windows Messenger Could Allow Information Disclosure Vulnerability (955702)
2008-08-19 00:00:00
Windows Messenger Could Allow Information Disclosure Vulnerability (955702)
2008-08-19 00:00:00
cve
cve
CVE-2008-0082
2008-08-13 00:41:00
nessus
nessus
MS08-050: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)
2008-08-13 00:00:00
JSON
Related for SECURITYVULNS:DOC:20359
checkpoint_advisories2securityvulns2seebug2prion1openvas2cve1nessus1