Windows Messenger ActiveX Control Bug Lets Remote Users Obtain Information and Perform Chat Functions
|
|
SecurityTracker Alert ID: 1020681 |
|
SecurityTracker URL: http://securitytracker.com/id/1020681
|
|
CVE Reference:
CVE-2008-0082
(Links to External Site)
|
Date: Aug 12 2008
|
Impact:
Disclosure of system information, Disclosure of user information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 4.7, 5.1
|
Description:
A vulnerability was reported in Windows Messenger. A remote user can obtain information and initiate chat sessions.
A remote user can create specially crafted HTML that, when loaded by the target user, will exploit an ActiveX control (Messenger.UIAutomation.1) to perform actions on the target user's Messenger client. The remote user can change state, obtain contact information, and initiate audio and video chat sessions without the knowledge of the target user. The remote user can also login to a Messenger session using the target user's identity.
The CLSID of the vulnerable control is: B69003B3-C55E-4b48-836C-BC5946FC3B28
Haifei Li of Fortinet s FortiGuard Global Security Research Team reported this vulnerability.
|
Impact:
A remote user can obtain information and perform chat functions.
|
Solution:
The vendor has issued a fix. A patch matrix is available in the vendor's advisory.
The vendor's advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms08-050.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms08-050.mspx (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 12 Aug 2008 16:49:00 -0400
Subject: http://www.microsoft.com/technet/security/bulletin/ms08-050.mspx
|
Microsoft Security Bulletin MS08-050 – Important: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)
CVE-2008-0082
|
|
