TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
(MS08-050) Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)
Vulnerability Identifier: CVE-2008-0082
Discovery Date: Aug 12, 2008
Risk: Important
Affected Software:
  • Windows Messenger 4.7 (Microsoft Windows Server 2003 Service Pack 1)
  • Windows Messenger 4.7 (Microsoft Windows Server 2003 Service Pack 2)
  • Windows Messenger 4.7 (Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Messenger 4.7 (Microsoft Windows Server 2003 with SP2 for Itanium-based Systems)
  • Windows Messenger 4.7 (Microsoft Windows Server 2003 x64 Edition Service Pack 2)
  • Windows Messenger 4.7 (Microsoft Windows Server 2003 x64 Edition)
  • Windows Messenger 4.7 (Microsoft Windows XP Professional x64 Edition Service Pack 2)
  • Windows Messenger 4.7 (Microsoft Windows XP Professional x64 Edition)
  • Windows Messenger 4.7 (Microsoft Windows XP Service Pack 2)
  • Windows Messenger 4.7 (Microsoft Windows XP Service Pack 3)
  • Windows Messenger 5.1 (Microsoft Windows 2000 Service Pack 4)
  • Windows Messenger 5.1 (Microsoft Windows Server 2003 Service Pack 1)
  • Windows Messenger 5.1 (Microsoft Windows Server 2003 Service Pack 2)
  • Windows Messenger 5.1 (Microsoft Windows Server 2003 with SP1 for Itanium-based Systems)
  • Windows Messenger 5.1 (Microsoft Windows Server 2003 with SP2 for Itanium-based Systems)
  • Windows Messenger 5.1 (Microsoft Windows Server 2003 x64 Edition Service Pack 2)
  • Windows Messenger 5.1 (Microsoft Windows Server 2003 x64 Edition)
  • Windows Messenger 5.1 (Microsoft Windows XP Professional x64 Edition Service Pack 2)
  • Windows Messenger 5.1 (Microsoft Windows XP Professional x64 Edition)
  • Windows Messenger 5.1 (Microsoft Windows XP Service Pack 2)
  • Windows Messenger 5.1 (Microsoft Windows XP Service Pack 3)
Description:

This security update addresses a vulnerability in supported versions of Windows Messenger which allows scripting of an ActiveX control that may lead to information disclosure in the context of the logged-on user. A malicious user could then change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user, as well as capture the user’s logon ID and remotely log on to the user’s Messenger client.


Patch Information:

Patches for this vulnerability can be downloaded on this Microsoft Web page.


Workaround Fixes:

Microsoft recommends to configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zones. Adding sites that you trust to the Internet Explorer Trusted sites zone is also suggested. Alternatively, users may set the killbit for the Messenger.UIAutomation.1 control through a registry modification.

More details regarding these workarounds may be found on this Microsoft Web page.
 
Search for another Security Advisory
Keyword: