PGP SIGNED MESSAGE-----
CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX
release date: May 10, 2002
Last revised: --
revision history can be found at the end of this file.
Windows systems with one or more of the following:
* Microsoft MSN Chat control
* Microsoft MSN Messenger 4.6 and prior
* Microsoft Exchange Instant Messenger 4.6 and prior
MSN Chat is an ActiveX control for Microsoft Messenger, an
instant messenging client. A buffer overflow exists in the ActiveX
control that may permit a remote attacker to execute arbitrary code
the system with the privileges of the current user.
overflow exists in the "ResDLL" parameter of the MSN Chat
ActiveX control that may permit a remote attacker to execute arbitrary
code on the system with the privileges of the current user. This
vulnerability affects MSN Messenger and Exchange Instant Messenger
users. Since the control is signed by Microsoft, users of Microsoft's
Internet Explorer (IE) who accept and install Microsoft-signed ActiveX
controls are also affected. The Microsoft MSN Chat control is also
available for direct download from the web.
tag could be used to embed the ActiveX control in a web
page. If an attacker can trick the user into visiting a malicious site
or the attacker sends the victim a web page as an HTML-formatted email
or newsgroup posting then this vulnerability could be exploited. This
acceptance and installation of the control can occur automatically
within IE for users who trust Microsoft-signed ActiveX controls. When
the web page is rendered, either by opening the page or viewing the
page through a preview pane, the ActiveX control could be invoked.
Likewise, if the ActiveX control is embedded in a Microsoft Office
(Word, Excel, etc.) document, it may be executed when the document is
to the Microsoft Advisory (MS02-022):
to note that this control is used for chat rooms on
several MSN sites in addition to the main MSN Chat site. If you
have successfully used chat on any MSN-site, you have downloaded
and installed the chat control.
has published information on ActiveX in Results of the
Security in ActiveX Workshop (pdf) and CA-2000-07.
is also being referenced as CAN-2002-0155:
attacker may be able to execute arbitrary code with the
privileges of the current user.
a patch from your vendor
has released a patch, a fixed MSN Chat control, and upgrades
to address this issue. It is important that all users apply the patch
since it will prevent the installation of the vulnerable control on
systems that have not already installed it.
location for the patch:
location for updated version of MSN Messenger with the
location for updated version of Exchange Instant Messenger
with the corrected control:
also suggests that the following Microsoft mail products:
Outlook 98 and Outlook 2000 with the Outlook Email Security Update,
Outlook 2002, and Outlook Express will block the exploitation of this
vulnerability via email because these products will open HTML email
the Restricted Sites zone.
mitigation strategies include opening web pages and email
messages in the Restricted Sites zone and using email clients that
permit users to view messages in plain-text. Likewise, it is important
for users to realize that a signed control only authenticates the
origin of the control and does not imply any information with regard
to the security of the control. Therefore, downloading and installing
signed controls through an automated process is not a secure choice.
A. - Vendor Information
contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If
particular vendor is not listed below, please check the Vulnerability
Note (VU#713779) or contact your vendor directly.
acknowledges the eEye Team for discovering and reporting
on this vulnerability and thanks Microsoft for their technical
can be directed to the author: Jason A. Rafail
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to firstname.lastname@example.org. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2002 Carnegie Mellon University.
May 10, 2002: Initial release
Version: PGP 6.5.8
-----END PGP SIGNATURE-----