IE Bug Opens New Hole in MSN Messenger

Shortly after Microsoft admitted MSN Messenger has a bug that could disclose the names and e-mail addresses on a user's contact list, the company is being confronted with what seems to be a bigger hole.

A malicious Web site operator can hijack a user's MSN Messenger instant messaging application and perform all tasks, including sending messages and personal files, bug-hunters claimed this weekend. The charge was posted in a bulletin on the Bugtraq mailing list on Saturday, and a warning issued by security software firm Finjan Software on Sunday.

To take over a user's MSN Messenger program, an attacker has to exploit a known hole in Internet Explorer by sending specially crafted code in an HTML e-mail or directing the user to a Web site that contains that code, according to the security advisories.

The Internet Explorer hole, known as the Document.Open() bug, was first discovered in December.

Microsoft has yet to plug the hole. A patch was initially published late last week, only to be removed from the Windows Update service hours later, according to a message on Tom Gilder's Web site. Gilder wrote the Bugtraq bulletin. Microsoft representatives said no one at the software company was available to comment on the latest bug report.

Security Concern

Security researchers at Finjan expect the flaw to be exploited by many. The firm states that an "MSN Messenger worm" could be written based on this vulnerability. Systems with Internet Explorer 5.5. and 6.0 and MSN Messenger 2.21 and above installed are vulnerable, according to Finjan.

Users can protect themselves by disabling active scripting in Internet Explorer or by not using MSN Messenger, which is software offered for free by Microsoft and is a standard part of Windows XP.

Microsoft on Friday confirmed that MSN Messenger has a bug that could disclose the names and e-mail addresses on a user's contact list to malicious Web site operators.

The company declared the problem 'low-risk,' and is working on an update for MSN Messenger to fix that flaw. Microsoft representatives suggest users solve the problem by downloading and installing the update when it becomes available. This flaw was also initially mentioned in an alert posted to the Bugtraq security e-mail list on February 2.