Today Core Technologies discovered a leak in MSN Messenger which can be used to take over a users computer using a buffer overflow.
Core researchers discovered that by selecting a specially-crafted graphic as the user’s display picture in MSN Messenger, an attacker could trigger a buffer overflow vulnerability on the chat partner’s computer and surreptitiously take over machines running instant messaging software. The attack would travel through the established chat session and would pass unnoticed by firewalls, network intrusion detection systems and even host-based personal firewalls and antivirus software.
Windows Media Player is also vulnerable. As are users who installed SP2 to update their Windows XP installation. This is because an attack uses the chat session. Windows Messenger and MSN Messenger 7 are not affected.
At the moment Neowin is reporting downtime of the MSN Messenger network (status-page is unavailable, use phpMsgrStats for the cached status). The downtime is unrelated to the vulnerability found by Core Technologies.
Vulnerability Specifics: The MSN Messenger protocol allows for the transmission of images between users during electronic conversations. The image format used to transfer those images is called Proprietary Network Graphics (PNG). When a user selects a picture to be displayed, Messenger converts it to the PNG format, with a fixed size and encoding characteristics. These images are then transmitted over the same communication channel used to exchange text messages. By sending a specially crafted PNG image, an attacker can trigger a buffer overflow and execute arbitrary code on the chat partner’s machine.