HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2008-130
Microsoft Windows Messenger ActiveX Control Information Disclosure Vulnerability

Original Issue Date: August 14, 2008

Severity Rating: Medium

Systems Affected

Windows Messenger 4.7

  • Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Windows XP Professional x64 Edition and with Service Pack 2
  • Windows Server 2003 Service Pack 1 and with Service Pack 2
  • Windows Server 2003 x64 Edition and with Service Pack 2
  • Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Server 2003 with SP2 for Itanium-based Systems

Windows Messenger 5.1

  • Microsoft Windows 2000 Service Pack 4
  • Windows XP Service Pack 2 and with Service Pack 3
  • Windows XP Professional x64 Edition and with Edition Service Pack 2
  • Windows Server 2003 Service Pack 1 and with Service Pack 2
  • Windows Server 2003 x64 Edition and with Service Pack 2
  • Windows Server 2003 with SP1 for Itanium-based Systems and with Service Pack 2

Overview

A vulnerability has been reported in supported versions of Microsoft Windows Messenger due to the Messenger.UIAutomation.1 ActiveX Control that could be exploited by a remote attacker to disclose potentially sensitive information in the context of logged in user.

Description

The vulnerability is caused due to the Messenger.UIAutomation.1 ActiveX control being marked "safe-for-scripting". This allows changing state, obtain contact information and a user's login ID, log on remotely to a user's Messenger client as the user, as well as initiating audio and video chat sessions without the knowledge of the logged-on user. This vulnerability could be exploited by the remote attacker to capture the user's logon ID and log on to the user's Messenger client impersonating that user.

Workarounds

  • Set the kill bit of the following CLSID
    {B69003B3-C55E-4b48-836C-BC5946FC3B28}
  • Set Internet and Local intranet security zone settings to
    “High” to prompt before running ActiveX Controls and Active Scripting.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Add sites that are trust to the Internet Explorer Trusted sites zone

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-050

Vendor Information

 Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-050.mspx

References

FORINET
http://www.fortiguardcenter.com/advisory/FGA-2008-18.html/

FrSIRT
http://www.frsirt.com/english/advisories/2008/2354

Secunia
http://secunia.com/advisories/31446/

SecurityFocus
http://www.securityfocus.com/bid/30551

CVE Name
CVE-2008-0082

 

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003