Microsoft Security Bulletin MS04-010
Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)
Issued: March 9, 2004
Who should read this document:
Customers who are using Microsoft® MSN Messenger
Impact of vulnerability:
Maximum Severity Rating:
Customers should consider applying the security update.
Security Update Replacement:
Tested Software and Security Update Download Locations:
• Microsoft MSN Messenger 6.0 - Download the update
• Microsoft MSN Messenger 6.1 - Download the update
Non Affected Software:
• Windows Messenger (All versions)
The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.
Top of section
A security vulnerability exists in Microsoft MSN Messenger. The vulnerability exists because of the method used by MSN Messenger to handle a file request. An attacker could exploit this vulnerability by sending a specially crafted request to a user running MSN Messenger. If exploited successfully, the attacker could view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file.
To exploit this vulnerability, an attacker would have to know the sign-on name of the MSN Messenger user in order to send the request.
• An attacker must know the sign-on name of the user
• If the user has blocked receiving messages from anonymous users not on their contact list by placing "All Others" in their block list, the attacker's messenger account must be on the user's allow list to exploit the vulnerability.
• The attacker could access files that the user had read access to. If the user is logged into the computer with restricted privileges this would limit the files that the attacker could access.
Microsoft MSN Messenger 6.0
Microsoft MSN Messenger 6.1
The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2004-0122
Top of section
Frequently Asked Questions
What is the scope of the vulnerability?
This is an Information Disclosure vulnerability. An attacker who exploited this vulnerability could view the contents of a file on the hard drive without the user's knowledge if the attacker knew the exact location of the file.
What causes the vulnerability?
A vulnerability results because of the method used by MSN Messenger to handle a file request between two MSN Messenger accounts. The method used to handle the request does not validate certain contents of the request when creating the session.
What is MSN Messenger?
MSN Messenger is an instant messaging program that allows users to send instant messages to each other, or create other peer to peer sessions such as sharing voice, video, or sending files. More information about MSN Messenger can be found at the following Web site.
What is Windows Messenger?
Windows Messenger is also an instant messaging program that allows similar functionality to MSN Messenger. Windows XP comes with Windows Messenger, which remains available even after MSN Messenger 6.1 is installed on a computer. Windows Messenger can connect to the Communications Service and Exchange Instant Messaging, which are only used in corporations. More information about Windows Messenger can be found at the following Web site.
Does the vulnerability apply to Windows Messenger as well?
No - the vulnerability is unique to the method of validating file requests utilized by MSN Messenger.
What is wrong with the way that MSN Messenger handles file requests?
The vulnerability results from the way MSN Messenger validates a file request. It is possible for an attacker to craft a request in such a way that MSN Messenger could allow the request to view a file on the hard drive.
Why does this pose a security vulnerability?
The vulnerability could provide a way for an attacker to view confidential files or view user names or passwords, although the attacker would have no way to edit or change the files.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could have read access to any file the user had access to if the attacker knew the location of the file. There would not be any indication to the user that the attacker was attempting to read the files.
Who could exploit the vulnerability?
A user with MSN Messenger and the knowledge of a specific user sign-on name could seek to exploit the vulnerability.
What does the update do?
The update removes the vulnerability by modifying the handling of file requests by MSN Messenger.
Top of section
Security Update Information
Installation Platforms and Prerequisites:
For information about the specific security update for your platform, click the appropriate link:
MSN Messenger 6.0 or 6.1
This security update requires Microsoft Windows.
This update may require you to restart your computer.
This update cannot be uninstalled.
Verifying Update Installation
To verify that a security update is installed on an affected system, please perform the following steps:
Within MSN Messenger, Click Help, then About.
Check the version number.
If the Version number reads 6.1 (6.1.0211) the update has been successfully installed.
Top of section
Top of section
Microsoft thanks the following for working with us to help protect customers:
• qFox and Mephisto for reporting the issue in MS04-010.
Obtaining other security updates:
Updates for other security issues are available from the following locations:
• Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Updates for consumer platforms are available from the WindowsUpdate Web site.
• Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates.
• International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site.
Security Resources for Windows:
• The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
• V1.0 March 9, 2004: Bulletin published