Main/News >
MSN Security (you
are here)
Main/News >
MSN Security (you
are here)
MSN
SECURITY
Here's
some information on MSN's security issues, other than the regular "Never
accept files or links from people you don't know and always scan every received
one before opening it!".
Electrophreak
discovered a huge problem with Microsoft's Passport sites: cookies can
be "stolen" by abusing an XSS hole in forms on several MSN
subsites (eg. MSN Entertainment). The exploit is very dangerous when executed
from a bad ass website that redirects visitors to an MSN site, automatically
executing a mailicious JavaScript which sends your cookie to the hacker. Doing
so, the hacker can take over your Passport identity and, for example,
log into your Hotmail account.
Electrophreak advises to sign out of Passport every time. If you use MSN Messenger, you're dead meat because when loggin on, you sign into Passport as well... and stay signed it. That's why MSN Messenger users better disable Active Scripting (for a good explanation on how to do that, click the previous link or click here).
"MSN
Messenger vulnerable to hackers"? Duh! Read the
Nando Times article. Source: NeoWin.net.
Did you hear about the e-mail worm
yet that could allow attackers to take over
their machines and send instant messages
using MSN Messenger? Read PCWorld's article here.
CRASH HEADER CODE
Another MSN Messenger Messenger exploit exposed. More details at MSN|Fanatic.
Heavy_K
released a stand-alone
crash antidote
to run along your MSN Messenger just until Microsoft shows up with a new build.
Download and run Heavy
K's MSN Anti Crash
if you're experiencing sudden crashes of MSMSGS.EXE.
Instructions:
1) After starting Messenger start AntiCrash.exe to enable the protection.
2) Whenever someone tries to crash you, a dialog box will pop up telling
you who tried it. You can talk to him/her then, because you won't crash :-)
3) Run StopAntiCrash.exe before you quit Messenger to stop the protection
again. You won't be able to quit Messenger while the protection is running.
Source: Heavy_K
zlib COMPRESSION LIBRARY CORRUPTS MALLOC DATA STRUCTURES
VIA DOUBLE FREE
"There is a security vulnerability in zlib 1.1.3 that can be exploited by providing a specially crafted invalid compressed data stream to zlib's decompression routines that results in zlib attempting to free the same memory twice. On many systems, freeing the same memory twice will crash the application. Such "double free" vulnerabilities can be used in denial-of-service attacks, and it is remotely possible that the vulnerability could be exploited in some application to execute arbitrary code with that application's permissions. There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless."
Source: Zlib Advisory 2002-03-11
There's nothing much you can do, really. Microsoft will probably fix this themselves in a next version.
INSTANT MESSAGE WORM - CONTACT LIST EXPLOIT
Here's what Bill and C° has to say:
"If you receive an unsolicited instant message directing you to go to an unknown Web site, please do not click on the link (*). There is an updated version of MSN Messenger available that you can download from http://messenger.microsoft.com that addresses this issue. Microsoft highly recommends that you take additional precautionary measures, by installing the Internet Explorer patch that is available here. We appreciate your patience and apologize for any inconvenience.
1) Download the latest Internet Explorer Security Update
Microsoft highly recommends that you update your Internet Explorer to the latest version available (Internet Explorer 5.5 or later) and download the latest security update to ensure a safe MSN Messenger experience. This update eliminates security vulnerabilities affecting Internet Explorer 5. 5 Service Pack 2 (SP2) and Internet Explorer 6, and MSN Explorer. For more information please click here.
2) MSN Messenger Friendly Name
Microsoft ships a control with MSN Messenger that allows Web sites to show your Messenger contact’s friendly name (e.g. 'John Smith') and make it quick and easy to establish communication with them. It was brought to our attention that this feature may be co-opted by malicious Web sites to collect this information. Microsoft has released an updated version of MSN Messenger that does not allow third party Web sites to obtain this information. To install the updated version please click here."
Source: .Net Messenger Service - Known Issues
Test your online MSN security and learn more about the exploit script at Superguy's site (it's completely safe to go there).
(*) The message often appear in the Times
New Roman font and in black.
Some of the sites on our shitlist:
- "http://www.angelfire.com/amiga/mynewpage"
- "http://maxall.d2g.com/index3.html"
- "http://members.chello.nl/~a.geesing/stopmsnhack.html"
- "http://denniz.com/valentijn.html"
- "http://users.pandora.be/weedy/pics.htm"
-
"http://www.n00bs.be"
- "http://users.pandora.be/fusion"
- "http://www.inx.net/~louis/intrigue.htm"
- and lots of
other URLs possible...
Don't click/visit these links. So what happens if you do? They activate
a malicious
script that automatically sends that same message to all your online contacts.
Some sites might even cause serious trouble, so pay EXTRA attention. Thanks
for the info, Superguy, Jae, Timothy, Craven and Dan!
MSN CONTACT LIST DISCLOSURE
"Register an account for MSN messenger, make some contact email addresses, leave the account for 31 days. On a different machine (to ensure there's no cache), go to the sign up section of MSN messenger, sign up again, using the same screen name. You'll be able to see the previous user's contact list.
None of the contacts will have been alerted to the fact that the new username actully belong to an entirely different person, so they'll still be sending messages, and if the new user is a haxor, (s)he'll be replying just as if (s)he's the original user.
I alerted Microsoft on monday, and have recieved no reply. so there. :)"
Taken from a mail by Tom Micklovitch to BugTraq on Security Focus.
MSN MESSENGER PRIVACY
Bughunter Richard Antony Burton caused rumble in the Instant Messaging jungle, when he tracked down a (major?) security hole in MSN Messenger on the 2nd of February 2002:
"By default, everyone
has access to your display name and those of your contacts,
but only Microsoft can get your email address
this way. However third parties could get access
to the email addresses, by simply adding a single
entry to your registry. That would require a
little more effort, but is easily done.
e.g. Installing software which contains "spyware" or "adware"
(such as Kazaa, Go!Zilla, Direct Connect, etc.*), could easily add such an entry
to your registry. After that you could be sending your email address to them
every time your computer loads an advertising banner from their site."
For more information, consult his homepage and also check out the workarounds and several updates on the 5th, 6th and 7th of February. More Microsoft security stories at CNET.com.
AntiVirus
eXpert PLUG-IN
1)
Detection for over 50,000 viruses, trojans, worms, and other hostile applications.
2) Updated daily Virus scans within many archive formats (Zip, Arj, Rar,
Lha, Lzh, Ace, Cab, Gz, Tar)
3) No communication hindrance
4) Monitors, intercepts and virus scan's all files received
5) Designed around plug-in technology for quick addition of new features
Register
with Central Command
to receive FREE P2P Anti-Virus Software for MSN Messenger.
Central Command has quit their free service :(
HELLO
WORM VIRUS
The
Hello.exe Worm Virus is an example of a virus that can be passed around through
MSN Messenger: You will get an instant message similar to "i have a file
for u. its real funny" and an invitation asking you to accept a file called
Hello.exe. How to protect yourself against Hello.exe and other similar
types of virus:
1) Be sure you know who is sending
you a file transfer and what that file is before you accept it.
2) Run anti-virus software on all transferred files to ensure they aren't
infected.
3) Make sure your antivirus software is up-to-date. Go to your antivirus
company's website or call them to get more information.
4) Back up the data on your hard drives on a regular basis.
More important information on the McAfee Website!
ENCRYPT
INSTANT MESSAGES WITH SPYSHIELD
If you suspect your company monitors the network,
if you think Microsoft is working with the NSA or if you're just plain paranoid,
then SpyShield is for you! Thanks to this contribution by Kathryn Janeway,
you can now keep your instant messages private using SpyShield
and PGP.
1)
If you haven't installed it already, download PGP (Pretty Good Privacy) here
for free!
2) Download
SpyShield v0.98 and install the program to your local drive.
3) Happy Encrypted Chatting! ;) For more information, visit the SpyShield
home.