SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   Windows Messenger Vendors:   Microsoft
Windows Messenger ActiveX Control Bug Lets Remote Users Obtain Information and Perform Chat Functions
SecurityTracker Alert ID:  1020681
SecurityTracker URL:  http://securitytracker.com/id/1020681
CVE Reference:   CVE-2008-0082   (Links to External Site)
Date:  Aug 12 2008
Impact:   Disclosure of system information, Disclosure of user information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.7, 5.1
Description:   A vulnerability was reported in Windows Messenger. A remote user can obtain information and initiate chat sessions.

A remote user can create specially crafted HTML that, when loaded by the target user, will exploit an ActiveX control (Messenger.UIAutomation.1) to perform actions on the target user's Messenger client. The remote user can change state, obtain contact information, and initiate audio and video chat sessions without the knowledge of the target user. The remote user can also login to a Messenger session using the target user's identity.

The CLSID of the vulnerable control is: B69003B3-C55E-4b48-836C-BC5946FC3B28

Haifei Li of Fortinet s FortiGuard Global Security Research Team reported this vulnerability.

Impact:   A remote user can obtain information and perform chat functions.
Solution:   The vendor has issued a fix. A patch matrix is available in the vendor's advisory.

The vendor's advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms08-050.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms08-050.mspx (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)
Underlying OS Comments:  2000 SP4, XP SP3, 2003 SP2; and prior service packs

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC