[SECURITY-L] CAIS-Alerta: Vulnerabilidade no Messenger possibilita vazamento de informacoes (838512)

CSIRT - UNICAMP security em unicamp.br
Qua Mar 10 10:08:43 -03 2004 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Messenger possibilita vazamento de
 informacoes (838512)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 9 Mar 2004 17:19:04 -0300 (BRST)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft
Security Bulletin MS04-010: Vulnerability in MSN Messenger Could Allow
Information Disclosure (838512)", que trata de uma vulnerabilidade
presente no MSN Messenger.

A vulnerabilidade existe devido ao metodo utilizado pelo MSN Messenger no
tratamento de requisicao de arquivos. Uma vez explorado com sucesso, o
atacante pode visualizar o conteudo de arquivos no hard disk da vitima,
sem seu conhecimento. Entretanto o atacante deve conhecer a localizacao
exata do arquivo, bem como a vitima deve ter permissao de leitura para
este arquivo.

Para explorar esta vulnerabilidade, o atacante deve conhecer o login do
usuario do MSN Messenger, para que seja possivel enviar a solicitacao.


Sistemas afetados:

	. Microsoft MSN Messenger 6.0
	. Microsoft MSN Messenger 6.1


Sistemas nao afetados:

	. Todas as demais versoes


Correcoes disponiveis:

. Microsoft MSN Messenger 6.0 update
http://messenger.msn.com/Download/

. Microsoft MSN Messenger 6.1 update
http://messenger.msn.com/Download/


Maiores informacoes:

. Microsoft Security Bulletin MS04-010
http://www.microsoft.com/technet/security/bulletin/MS04-010.mspx


Identificadores do CVE (http://cve.mitre.org): CAN-2004-0122


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################

Microsoft Security Bulletin MS04-010
Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)

Issued: March 9, 2004
Version: 1.0

Summary

Who should read this document: Customers who are using Microsoft® MSN
Messenger

Impact of vulnerability: Information Disclosure

Maximum Severity Rating: Moderate

Recommendation: Customers should consider applying the security update.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft MSN Messenger 6.0 - Download the update (http://messenger.msn.com/)

Microsoft MSN Messenger 6.1 - Download the update (http://messenger.msn.com/)

Non Affected Software:

Windows Messenger (All versions)

The software listed above has been tested to determine if the versions are
affected. Other versions either no longer include security patch support
or may not be affected. Please review the Microsoft Support Lifecycle Web
site to determine the support lifecycle for your product and version.

General Information

Technical Details

Technical description:

A security vulnerability exists in Microsoft MSN Messenger. The
vulnerability exists because of the method used by MSN Messenger to handle
a file request. An attacker could exploit this vulnerability by sending a
specially crafted request to a user running MSN Messenger.  If exploited
successfully, the attacker could view the contents of a file on the hard
drive without the user's knowledge as long as the attacker knew the
location of the file and the user had read access to the file.

To exploit this vulnerability, an attacker would have to know the sign-on
name of the MSN Messenger user in order to send the request.

Mitigating factors:

An attacker must know the sign-on name of the user

If the user has blocked receiving messages from anonymous users not on
their contact list by placing "All Others" in their block list, the
attacker's messenger account must be on the user's allow list to exploit
the vulnerability.

The attacker could access files that the user had read access to.  If the
user is logged into the computer with restricted privileges this would
limit the files that the attacker could access.

Severity Rating:

Microsoft MSN Messenger 6.0 Important

Microsoft MSN Messenger 6.1 Important

The above assessment is based on the types of systems that are affected by
the vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2004-0122

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform,
click the appropriate link:

MSN Messenger 6.0 or 6.1

Prerequisites

This security update requires Microsoft Windows.

Restart Requirement

This update may require you to restart your computer.

Removal Information

This update cannot be uninstalled.

Verifying Update Installation

To verify that a security update is installed on an affected system,
please perform the following steps:

1. Within MSN Messenger, Click Help, then About

2. Check the version number.

If the Version number reads 6.1 (6.1.0211) the update has been
successfully installed.

Acknowledgments

Microsoft thanks the following for working with us to help protect
customers:

qFox and Mephisto for reporting the issue in MS04-010.

Obtaining other security updates:

Updates for other security issues are available from the following
locations:

Security updates are available from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=21129), and can
be most easily found by doing a keyword search for "security_patch".

Updates for consumer platforms are available from the WindowsUpdate Web
site.

Support:

Technical support is available from Microsoft Product Support Services at
1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge
for support calls that are associated with security updates.

International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with security
updates. Information on how to contact Microsoft support is available at
the International Support Web Site.

Security Resources for Windows:

The Microsoft TechNet Security Web Site provides additional information
about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.

Revisions:

V1.0 March 9, 2004: Bulletin published

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQE4mvukli63F4U8VAQEzdQQAjLOPp2hF2iRB7YbM77qDcHONCxxH5Iym
1IJ4j48P0h7icVlcBGvXOjASzRjg6EGRclW49TEKJy/pqXT9/6cE3eDAlW40NERG
9ugBFq2H2x/Ca8hIPRU9tqMt2RNmWp00g5AxOM1yMi2/VOTVLVwRf/Oo/Nhedy/p
4JGovtcXtkk=
=TU3z
-----END PGP SIGNATURE-----


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L