Microsoft Live Messenger Vulnerable

Microsoft Live Messenger is just another one of the products that help Microsoft maintain its first place in the chart for the most vulnerable vendors. Version 8.1 and possibly other versions too, have a flaw. The application does not bound-check user-supplied input the way it should and that's why it is prone to a denial of service attack. Now, let me explain this better, a failed bound check usually generates an exception, as some of you might know. A bound-check is used by a computer to tell if an index (an integer, basically) is or is not within the limits of an array (a vector or matrix).

Should a malicious user take advantage of this fact, they could remotely crash affected applications, causing a DoS to legitimate users. As seen on Security Focus, given the nature of the issue, remote attackers may also be able to execute code, but this has not been confirmed.

A denial of service is not something huge, I mean, there are worse type of attacks, however this is yet unpatched and there is no info on how it can be solved. Check out this page - it belongs to the guy that originally disclosed this issue. He advises users not to share any folder in MSN until all this is cleared up, but visit his page for more info and a more technical explanation. You may want to take a look here, too.

Also, here is a link to the official Windows Live Messenger page from which you can learn a lot about the software, how it works and see if any update pops up or if any solution or patch is issued for this problem.

You've been warned, and given a lot of info - the rest is up to you. Try to be careful, and not just when it comes to this problem, but also when tackling any cyber-security issue!