Msn Vulnerability ...

[francois]

hi'

A new vulnerability has been discovered in MSN 6.0 and 6.1 ...

Update via MSN Site!

here is the alert :

An important vulnerability was discovered in Messenger MSN 6.0 AND 6.1,

a software of immediate e-mailer installed by default with Windows or

downloaded separately by the Internet users. This vulnerability can allow

in a hostile contact to access in reading the present files on

the computer of his(her) victim, without knowing this one, without being able to modify these

files but by being in capacity to steal confidential data.

francois

received with mailing from www.secuser.com and translated for you.

the secuser site is french ... sorry folks

[sting01]

thanks Francois, here is the complete information.

According to Microsoft tech staff :

Technical description:

A security vulnerability exists in Microsoft MSN Messenger. The vulnerability exists because of the method used by MSN Messenger to handle a file request. An attacker could exploit this vulnerability by sending a specially crafted request to a user running MSN Messenger.  If exploited successfully, the attacker could view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file.

To exploit this vulnerability, an attacker would have to know the sign-on name of the MSN Messenger user in order to send the request.

Mitigating factors:

• An attacker must know the sign-on name of the user

• If the user has blocked receiving messages from anonymous users not on their contact list by placing "All Others" in their block list, the attacker's messenger account must be on the user's allow list to exploit the vulnerability.

• The attacker could access files that the user had read access to.  If the user is logged into the computer with restricted privileges this would limit the files that the attacker could access.

Severity Rating:

Microsoft MSN Messenger 6.0

Moderate

Microsoft MSN Messenger 6.1

Moderate

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2004-0122

In 2 words, if you are silly/moron enought to share your password, then someone on internet can use it to see what are written on thefiles in your computer ... I forgetyou must also have told him the fullname, and path of the files the guy need to check ... Not a big deal in my opnion .... Anyway it was a good joke.

La prochaine fois tu devrais lire l'article en entier, et la notice technique correspondante .... Cette faille a ete revele parMephisto3 semaines auparavant, parcequ'il y a des crfetins qui utilise leurtemps de travail a "chatter" avec MSN, et des collegues de travail leurs on fait des blagues (imagineun chefdu personnel avec la listedes gards qui vont sefairevirer lasemainesuivante). Risques reduits, aucune consquences pour un utilisateurcommun.

Une question, pour quoi sur ton ordinateur le port correspondantaux envoi d'impresson par internetest toujours ouvert?????????? Dangereux cela, risaued'intrusion majeur

Best regards

[francois]

In 2 words, if you are silly/moron enought to share your password, then someone on internet can use it to see what are written on thefiles in your computer ... I forgetyou must also have told him the fullname, and path of the files the guy need to check ... Not a big deal in my opnion .... Anyway it was a good joke.

when you know that a simple message can do all these tricks, like on hotmail ...

it's a bit scary anyway.

but it might concern only dude users ... is this what you mean?

and may I ask, how come, that a port can be parmanently open?

don't you have a firewall?

you can check your machine, look for gybson research, they can perform a test on all the ports of your machine.

address something like : http:grc.com

you have to know also, that I just transmit things like this because a lot of people are not

looking for things "security related" and it might help some

the news like this one come from a security news-letter I have, and the site is pretty serious, nothing wrong with what they say.

in other words, if you would like to say anything about the news I transmit, write to them.

here is the address : http://www.secuser.com/]Secuser internet site[/url]

and please don't tell me in a kinda of french ...

next time check out more ...

francois

[sting01]

before to speak about something, YOU must check out more. Have you ever read the full topic in secuser? It was a link to microsoft ... have you follow this link, and read the technical notice? Wonder not, because if yes, you will not waste time to diffuse this information.

Why not advice the people to have a sharing partition and be connected to internet is far more dangerous? Do you know how many people have this kind of config? an intruder with , let say 10 lines of DOS, will gain access and see all what is in the HD. And it's a very basic , low level exploit for script kiddies.

Here, even if you gain access, you can have access onlyto the files if you know by advances : The Name, the Full Path .... so ?????????????? where is the threat??? You will be able to hack your puter if you are not at home, but somewhere else and chatting with your gf who will use your puter ... is it an exploit?

[francois]

before to speak about something, YOU must check out more. Have you ever read the full topic in secuser? It was a link to microsoft ... have you follow this link, and read the technical notice? Wonder not, because if yes, you will not waste time to diffuse this information.

I did, and I thought that it was worth to tlak about!

a bit tired of you guys

sitting in your chair waiting for a word to jump on with all the story about!

if you know things so well, why don't you post some things little bit more positive than what I see from you?

are you so good in computing to validate an alert like a serious one?

do you think that you know better than the guys working in secuser?

or just because "you" think that this can't be done, it's useless to talk about?

you see, any kind of knowledge need to be shared, but not the way it's done!

we are not in a school yard anymore, you know more, just post it!

useless to flame anyone on the way, saying, "you did not know enough"!

just add, and be happy to share what you know!

this would be nice enough, I'm not here for any kind of challenge ...

francois

[francois]

before to speak about something, YOU must check out more. Have you ever read the full topic in secuser? It was a link to microsoft ... have you follow this link, and read the technical notice? Wonder not, because if yes, you will not waste time to diffuse this information.

I did, and I thought that it was worth to talk about!

a bit tired of you guys

sitting in your chair waiting for a word to jump on with all the story about!

if you know things so well, why don't you post some things little bit more positive than what I see from you?

are you so good in computing to validate an alert like a serious one?

do you think that you know better than the guys working in secuser?

or just because "you" think that this can't be done, it's useless to talk about?

you see, any kind of knowledge need to be shared, but not the way it's done!

we are not in a school yard anymore, you know more, just post it!

useless to flame anyone on the way, saying, "you did not know enough"!

just add, and be happy to share what you know!

this would be nice enough, I'm not here for any kind of challenge ...

francois

[sting01]

about security, it also a rule (recommandation) that we have set up 3 years ago in the IETF ... don't propage information if the risk is worth than the panic who can be caused.

About knowledge, the "reading" knowledge is enough to understand the risk exist, is real, but for the normal user as the people who use this webboard, it's close to be null, the risk could be evaluate moderate/strong for the big business, when (it's an exemple) an employee is fired (he/she well the name of the files and where they are located) or with an intruder (social engineering a.k.a a guy who get a job to clean the rooms during the night, then he collect name and place during this time, and do the hack from a secure (IP spoken) place).

As I posted about OOo and SO, I am ready to help for those 2 programms, andd also about security (I repeat why not explain the risk to have a sharing HD when you surf on internet???????????/ the hack is basic, easy, and involve only DOS tools who are delivered basically with all the Windows installation).

I am not here to be a troll, but I consider incomplete informations dangerous, I refer to the IETF Recomandation.

Sting01

P.S. Editing by myself.

the real danger is often due simple rules who are not followed ... better to teach basic rules first and then the exceptionnal.