Microsoft Security Bulletin MS04-010
Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)

Issued: March 9, 2004
Version: 1.0

Summary

Who should read this document: Customers who are using Microsoft® MSN
Messenger

Impact of vulnerability: Information Disclosure

Maximum Severity Rating: Moderate

Recommendation: Customers should consider applying the security update.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft MSN Messenger 6.0 - Download the update (http://messenger.msn.com/)

Microsoft MSN Messenger 6.1 - Download the update (http://messenger.msn.com/)

Non Affected Software:

Windows Messenger (All versions)

The software listed above has been tested to determine if the versions are
affected. Other versions either no longer include security patch support
or may not be affected. Please review the Microsoft Support Lifecycle Web
site to determine the support lifecycle for your product and version.

General Information

Technical Details

Technical description:

A security vulnerability exists in Microsoft MSN Messenger. The
vulnerability exists because of the method used by MSN Messenger to handle
a file request. An attacker could exploit this vulnerability by sending a
specially crafted request to a user running MSN Messenger.  If exploited
successfully, the attacker could view the contents of a file on the hard
drive without the user's knowledge as long as the attacker knew the
location of the file and the user had read access to the file.

To exploit this vulnerability, an attacker would have to know the sign-on
name of the MSN Messenger user in order to send the request.

Mitigating factors:

An attacker must know the sign-on name of the user

If the user has blocked receiving messages from anonymous users not on
their contact list by placing "All Others" in their block list, the
attacker's messenger account must be on the user's allow list to exploit
the vulnerability.

The attacker could access files that the user had read access to.  If the
user is logged into the computer with restricted privileges this would
limit the files that the attacker could access.

Severity Rating:

Microsoft MSN Messenger 6.0 Important

Microsoft MSN Messenger 6.1 Important

The above assessment is based on the types of systems that are affected by
the vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2004-0122

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform,
click the appropriate link:

MSN Messenger 6.0 or 6.1

Prerequisites

This security update requires Microsoft Windows.

Restart Requirement

This update may require you to restart your computer.

Removal Information

This update cannot be uninstalled.

Verifying Update Installation

To verify that a security update is installed on an affected system,
please perform the following steps:

1. Within MSN Messenger, Click Help, then About

2. Check the version number.

If the Version number reads 6.1 (6.1.0211) the update has been
successfully installed.

Acknowledgments

Microsoft thanks the following for working with us to help protect
customers:

qFox and Mephisto for reporting the issue in MS04-010.

Obtaining other security updates:

Updates for other security issues are available from the following
locations:

Security updates are available from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=21129), and can
be most easily found by doing a keyword search for "security_patch".

Updates for consumer platforms are available from the WindowsUpdate Web
site.

Support:

Technical support is available from Microsoft Product Support Services at
1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge
for support calls that are associated with security updates.

International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with security
updates. Information on how to contact Microsoft support is available at
the International Support Web Site.

Security Resources for Windows:

The Microsoft TechNet Security Web Site provides additional information
about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.

Revisions:

V1.0 March 9, 2004: Bulletin published