Hi everyone.  Jonathan from the SWI team in the MSRC here again.  I'd like to give some more detail around the conditions required to exploit MS07-054, the vulnerability in MSN Messenger and Windows Live Messenger. 

You can read from the bulletin that MS07-054 affects MSN Messenger 6.2, 7.0, 7.5 and Windows Live Messenger 8.0.  It has been fixed in Windows Live Messenger 8.1, which has been automatically offered to users since February 2007.  The vulnerability is in the library that handles the video chat webcam protocol.  The 7.0.0820 release is a version of 7.0 with the fixed 8.1 webcam library (hermes.lib).  Windows 2000 and older clients will need to upgrade to 7.0.0820.

I'd also like to point out some pretty significant mitigations in place for this vulnerability.  The vulnerability is specifically in the webcam protocol and is only exercisable during an established videochat session.  An attack can’t happen unless you accept a videochat invitation from a malicious user like you see in this graphic:

And by default you can only videochat with people on your buddy list.  However, if you accept a webcam videochat invitation from a malicious attacker, you can be exploited even if you don't have a webcam yourself.  We support one-way video chat, so until you upgrade to either 7.0.0820 or 8.1, be especially cautious about accepting webcam videochat invitations.

We hope that this information was interesting and useful to you.  Thanks for reading!

Jonathan


*This posting is provided "AS IS" with no warranties, and confers no rights.*