Buffer overflow vulnerability found in Microsoft Chat

Free online fixes are now available to repair a buffer overflow security vulnerability found recently in Microsoft Corp.’s free MSN Chat, MSN Messenger and Microsoft Exchange Instant Messenger programs.

In a critical security bulletin released yesterday by Microsoft, the company said the problem is a programming flaw called an unchecked buffer that essentially would allow an attacker to overwhelm a computer by sending it more information than the program can handle. Once overwhelmed, the machine would be vulnerable to just about any code or instructions sent to it by an attacker.

Christopher Budd, security program manager at Microsoft’s Security Response Center in Redmond, Wash., said the potential vulnerability has been found in MSN Chat control (an ActiveX control), MSN Messenger 4.5 and 4.6 (which include MSN Chat Control) and Microsoft Exchange Instant Messenger 4.5 and 4.6 (which also includes the Chat Control).

To fix the vulnerability, users of MSN Chat can log in to the Web site and automatically receive an update, while users of the affected MSN Messenger and Exchange programs can download updated versions of the software. A patch is also available largely for Microsoft’s corporate customers that won’t repair the vulnerability, but will disable the Chat program.

The problem was first reported to Microsoft in late March after it was discovered by a technician working for network security vendor eEye Digital Security in Aliso Viejo, Calif.

The vulnerability can be exploited through e-mail, a malicious Web site or through any other method where Microsoft’s Internet Explorer browser is used to display HTML that an attacker supplies, including software that uses an ActiveX module, according to eEye. All users of Internet Explorer are potentially affected, according to the company, and should install the updates.

The MSN Chat control isn’t installed by default with any version of Windows or Internet Explorer and would have been installed by a user, according to Microsoft. The latest Windows operating system, Windows XP, includes a Windows Messenger program that is not affected by this vulnerability, according to the company. Windows XP users would be vulnerable only if they installed the MSN Chat control from MSN sites on their own.

Budd said Microsoft engineers used a development tool called Prefab to look for other possible vulnerabilities in the programs after the problems were reported. “Ultimately, software is a human enterprise at the end of the day and people make mistakes,” he said. “When we perform an investigation like this, we do our best to look for and find anything that might be related.”

Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston, said businesses should be interested in such security announcements even if they’re not officially deploying these applications for their workers. “Even if the business is not using it, but people inside the business are, then they are vulnerable and the business is,” Hemmendinger said. IT officials need to check the company’s machines and be sure that any needed fixes are applied, he said.

Charles Kolodgy, an analyst at IDC in Framingham, Mass., said buffer overflows continue to be a problem in many software applications because programmers often forget to set the needed parameters in applications.

Many businesses fight back to protect themselves, he said, by blocking the acceptance of HTML e-mail and setting up their networks to prevent workers from downloading unauthorized applications, including chat and instant messaging programs.