Advertisement
Promo

Security threats Toolkit

IE and MSN Messenger open door for attackers

Munir Kotadia ZDNet Australia

Published: 18 Jul 2005 09:55 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft's Internet Explorer (IE) and MSN Messenger programs contain a security vulnerability that could be used by attackers to crash and possibly execute arbitrary code on a victim's system when they view a specially crafted image file.

SecurityFocus, a specialist security Web site, published an advisory on Saturday describing a vulnerability in the way IE and MSN Messenger client handles International Color Consortium (ICC) Profiles. ICC is an international colour management system that allows the same colours to be described in a number of operating systems and applications.

According to the advisory "both Microsoft Internet Explorer and MSN Instant Messenger can be crashed if image data with malformed embedded ICC profile data is processed. The condition is likely due to an integer handling error."

But according to iDefense, another security company, the flaws were patched last Tuesday.

A spokesperson from Sydney-based security specialists Pure Hacking, said that if a vulnerable user opens a specially crafted image file, they could allow arbitrary code to be executed on their computer.

"If MSN Messenger or IE opened an image, according to this advisory, it would be possible to at least crash it — it would have to be a malformed image and designed to do that," the spokesperson said.

Additionally, the vulnerability could be used to spread a worm: "If it all holds true, it may be possible to create a worm to take advantage of the vulnerability — but only if it is possible to execute code [on the vulnerable system] — which, at this stage, hasn't be done — there hasn't been a proof of concept, yet," the spokesperson said.

Last October, Microsoft released a patch to fix a similar vulnerability that affected Windows and a number of its other applications. At the time, experts said the potential for attack was "very high".

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
135 out of 266 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

3 comments

  1. I have a terrible thing on my pc, because of msn m... Marta
  2. What can one do if you discover when clicking on s... Anonymous
  3. We are caught up in the all mighty god the dollar... Ernest Baldwin

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:








Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

DNA details of innocent will be kept f...

The government has announced that it plans to keep innocent people's DNA details for up to six years. In response to a consultation it launched last December, the government said... More

4 comments

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters