• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Microsoft MSN Messenger GIF Image Processing Remote Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Microsoft MSN Messenger is prone to a remote buffer-overflow vulnerability when handling malformed Graphic Interchange Format (GIF) images. This issue arises because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers. This may allow an attacker to gain unauthorized access to an affected computer.

Specifically, the vulnerability presents itself when the application processes GIF images with malformed height and width values. An attacker could craft a malicious GIF image in a manner that supplies excessive data to the application, overflowing a finite-sized destination buffer. This can lead to memory corruption. The attacker may also leverage this issue to execute arbitrary code on a computer, reportedly resulting in system-level compromise. Note that the attacker must be part of a user's contact list to carry out this attack. MSN Messenger does not allow anonymous users to send messages by default.

Multiple attack vectors may be employed to exploit this vulnerability. Specially crafted emoticons or display pictures are likely to be used in a client-to-client attack. Other attack vectors may include background images, but this has not been confirmed.

Exploitation of this issue could be mitigated by Microsoft either through forcing vulnerable clients to upgrade or through content filters that drop malicious images with the properties necessary for exploitation.

MSN Messenger 6.2 and MSN Messenger 7.0 beta are vulnerable.

Affected Products:

• Microsoft MSN Messenger Service 6.2
• Microsoft MSN Messenger Service 7.0 beta

References:

• Microsoft: Microsoft Security Bulletin MS05-022
• Microsoft: Microsoft Security Bulletin MS07-054 - Important

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.