MS02-022: An Unchecked Buffer in the MSN Chat Control Can Permit Code to Be Run

A buffer overflow vulnerability exists in the MSN Chat control. An attacker who can successfully exploit this vulnerability can run any code on the computer. The code runs as if the local user had run it. Therefore, the code can take any action on the computer that the local user can perform. This includes adding, changing, or deleting any data or configuration information. For example, the code can reduce the security settings in the browser, or can write a file to the hard disk.

Because the code runs as the local user and not as the operating system, any security limitations on the user's account also apply to any code that is run by successfully exploiting this vulnerability. In environments in which user accounts are restricted, such as in enterprise environments, the actions that an attacker's code can take are limited by these restrictions.

Mitigating factors:

• A successful attack requires that the local user have installed the MSN Chat control, MSN Messenger, or Microsoft Exchange Instant Messenger. By default, no version of Microsoft Windows is vulnerable to this attack.
• Windows Messenger does not include the MSN Chat control. Users of Microsoft Windows XP are vulnerable only if they install the MSN Chat control from MSN sites.
• By default, Microsoft Outlook 2000 with the Outlook E-Mail Security Update, Microsoft Outlook 2002, and Microsoft Outlook Express all open HTML e-mail messages in the Restricted Sites zone. Therefore, users who run these programs with their default settings are protected against e-mail-message-borne attacks.

This vulnerability occurs because of an unchecked buffer in the code that handles the input of a parameter in the MSN Chat control. By invoking this parameter in a particular manner, an attacker can overflow the buffer and can cause code to run.

A patch is available that prevents this vulnerability by unregistering the vulnerable MSN Chat control. This renders the control useless. The patch does not install an updated MSN Chat control. The next time a user visits the MSN Chat site after applying the patch, the updated version of the MSN Chat control is offered for download.

The following file is available for download from the Microsoft Download Center:

Download the MSNChatSecFix.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyID=8f8505b5-81bc-438d-8c57-b0def3a0305b&displaylang=en)
Release Date: June 11, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.
The latest version of MSN Messenger with the corrected control is version 4.6 (4.6.0079). To obtain this version, visit the following Microsoft Web site: The latest version of the Microsoft Exchange 2000 Instant Messaging service with the corrected control is version 4.6 (4.6.0079). To obtain this version, visit the following Microsoft Web site: You do not have to restart your computer after you apply the patch or after you update your version of MSN Messenger.

Microsoft has confirmed that this problem may cause a degree of security vulnerability in MSN Chat control.

The MSN Chat control is available as a Web download from several MSN Chat (http://chat.msn.com/) sites, and is included with MSN Messenger 4.5 or later and with the Exchange 2000 Instant Messaging service. The MSN Chat control is not included with Windows Messenger in Windows XP. However, Windows XP users can install the control by visiting an MSN Chat site and downloading the control.

For more information about this vulnerability, visit the following Microsoft Web site: