Main/News > MSN Security (you are here)

MSN SECURITY
Here's some information on MSN's security issues, other than the regular "Never accept files or links from people you don't know and always scan every received one before opening it!".


Electrophreak discovered a huge problem with Microsoft's Passport sites: cookies can be "stolen" by abusing an XSS hole in forms on several MSN subsites (eg. MSN Entertainment). The exploit is very dangerous when executed from a bad ass website that redirects visitors to an MSN site, automatically executing a mailicious JavaScript which sends your cookie to the hacker. Doing so, the hacker can take over your Passport identity and, for example, log into your Hotmail account.

Electrophreak advises to sign out of Passport every time. If you use MSN Messenger, you're dead meat because when loggin on, you sign into Passport as well... and stay signed it. That's why MSN Messenger users better disable Active Scripting (for a good explanation on how to do that, click the previous link or click here).

"MSN Messenger vulnerable to hackers"? Duh! Read the Nando Times article. Source: NeoWin.net.


Did you hear about the
e-mail worm yet that could allow attackers to take over their machines and send instant messages using MSN Messenger? Read PCWorld's article here.


CRASH HEADER CODE

Another MSN Messenger Messenger exploit exposed. More details at MSN|Fanatic.

Heavy_K released a stand-alone crash antidote to run along your MSN Messenger just until Microsoft shows up with a new build. Download and run Heavy K's MSN Anti Crash if you're experiencing sudden crashes of MSMSGS.EXE. Instructions:
1) After starting Messenger start AntiCrash.exe to enable the protection.
2) Whenever someone tries to crash you, a dialog box will pop up telling you who tried it. You can talk to him/her then, because you won't crash :-)
3) Run StopAntiCrash.exe before you quit Messenger to stop the protection again. You won't be able to quit Messenger while the protection is running.
Source: Heavy_K

 

zlib COMPRESSION LIBRARY CORRUPTS MALLOC DATA STRUCTURES VIA DOUBLE FREE

"There is a security vulnerability in zlib 1.1.3 that can be exploited by providing a specially crafted invalid compressed data stream to zlib's decompression routines that results in zlib attempting to free the same memory twice. On many systems, freeing the same memory twice will crash the application. Such "double free" vulnerabilities can be used in denial-of-service attacks, and it is remotely possible that the vulnerability could be exploited in some application to execute arbitrary code with that application's permissions. There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless."

Source: Zlib Advisory 2002-03-11

There's nothing much you can do, really. Microsoft will probably fix this themselves in a next version.


INSTANT MESSAGE WORM - CONTACT LIST EXPLOIT

Here's what Bill and C° has to say:

"If you receive an unsolicited instant message directing you to go to an unknown Web site, please do not click on the link (*). There is an updated version of MSN Messenger available that you can download from http://messenger.microsoft.com that addresses this issue. Microsoft highly recommends that you take additional precautionary measures, by installing the Internet Explorer patch that is available here. We appreciate your patience and apologize for any inconvenience.

1) Download the latest Internet Explorer Security Update

Microsoft highly recommends that you update your Internet Explorer to the latest version available (Internet Explorer 5.5 or later) and download the latest security update to ensure a safe MSN Messenger experience. This update eliminates security vulnerabilities affecting Internet Explorer 5. 5 Service Pack 2 (SP2) and Internet Explorer 6, and MSN Explorer. For more information please click here.

2) MSN Messenger Friendly Name

Microsoft ships a control with MSN Messenger that allows Web sites to show your Messenger contact’s friendly name (e.g. 'John Smith') and make it quick and easy to establish communication with them. It was brought to our attention that this feature may be co-opted by malicious Web sites to collect this information. Microsoft has released an updated version of MSN Messenger that does not allow third party Web sites to obtain this information. To install the updated version please click here."

Source: .Net Messenger Service - Known Issues

Test your online MSN security and learn more about the exploit script at Superguy's site (it's completely safe to go there).

(*) The message often appear in the Times New Roman font and in black. Some of the sites on our shitlist:

- "http://www.angelfire.com/amiga/mynewpage"
- "http://maxall.d2g.com/index3.html"
- "http://members.chello.nl/~a.geesing/stopmsnhack.html"
- "http://denniz.com/valentijn.html"
- "http://users.pandora.be/weedy/pics.htm"

- "http://www.n00bs.be"
- "http://users.pandora.be/fusion"
- "http://www.inx.net/~louis/intrigue.htm"

- and
lots of other URLs possible...

Don't
click/visit these links
. So what happens if you do? They activate a malicious script that automatically sends that same message to all your online contacts. Some sites might even cause serious trouble, so pay EXTRA attention. Thanks for the info, Superguy, Jae, Timothy, Craven and Dan!

 

MSN CONTACT LIST DISCLOSURE

"Register an account for MSN messenger, make some contact email addresses, leave the account for 31 days. On a different machine (to ensure there's no cache), go to the sign up section of MSN messenger, sign up again, using the same screen name. You'll be able to see the previous user's contact list.

None of the contacts will have been alerted to the fact that the new username actully belong to an entirely different person, so they'll still be sending messages, and if the new user is a haxor, (s)he'll be replying just as if (s)he's the original user.

I alerted Microsoft on monday, and have recieved no reply. so there. :)"

Taken from a mail by Tom Micklovitch to BugTraq on Security Focus.

 

MSN MESSENGER PRIVACY

Bughunter Richard Antony Burton caused rumble in the Instant Messaging jungle, when he tracked down a (major?) security hole in MSN Messenger on the 2nd of February 2002:

"By default, everyone has access to your display name and those of your contacts, but only Microsoft can get your email address this way. However third parties could get access to the email addresses, by simply adding a single entry to your registry. That would require a little more effort, but is easily done.
e.g. Installing software which contains "spyware" or "adware" (such as Kazaa, Go!Zilla, Direct Connect, etc.*), could easily add such an entry to your registry. After that you could be sending your email address to them every time your computer loads an advertising banner from their site."

For more information, consult his homepage and also check out the workarounds and several updates on the 5th, 6th and 7th of February. More Microsoft security stories at CNET.com.

 

AntiVirus eXpert PLUG-IN

1) Detection for over 50,000 viruses, trojans, worms, and other hostile applications.
2) Updated daily Virus scans within many archive formats (Zip, Arj, Rar, Lha, Lzh, Ace, Cab, Gz, Tar)
3) No communication hindrance
4) Monitors, intercepts and virus scan's all files received
5) Designed around plug-in technology for quick addition of new features

Register with Central Command to receive FREE P2P Anti-Virus Software for MSN Messenger. Central Command has quit their free service :(

HELLO WORM VIRUS
The Hello.exe Worm Virus is an example of a virus that can be passed around through MSN Messenger: You will get an instant message similar to "i have a file for u. its real funny" and an invitation asking you to accept a file called Hello.exe. How to protect yourself against Hello.exe and other similar types of virus:
1) Be sure you know who is sending you a file transfer and what that file is before you accept it.
2) Run anti-virus software on all transferred files to ensure they aren't infected.
3) Make sure your antivirus software is up-to-date. Go to your antivirus company's website or call them to get more information.
4) Back up the data on your hard drives on a regular basis.

More important information on the McAfee Website!

 

ENCRYPT INSTANT MESSAGES WITH SPYSHIELD
If you suspect your company monitors the network, if you think Microsoft is working with the NSA or if you're just plain paranoid, then SpyShield is for you! Thanks to this contribution by Kathryn Janeway, you can now keep your instant messages private using SpyShield and PGP.

1) If you haven't installed it already, download PGP (Pretty Good Privacy) here for free!
2) Download SpyShield v0.98 and install the program to your local drive.
3) Happy Encrypted Chatting! ;) For more information, visit the SpyShield home.