14 DAY TRIAL // Windows Live Messenger can be taken down via a vulnerability affecting the Video Conversation functionality. Security outfit Secunia has just reported what seems to be a zero-day security flaw impacting versions 6.x and 7.x of Windows Live Messenger, formerly MSN Messenger. According to the security advisory posted by Secunia, the vulnerability is labeled with a severity rating of Critical as it allows for remote arbitrary code execution. At this point in time, there is no update from Microsoft addressing the issue. However, the Redmond company has even failed to confirm the validity of the flaw.
"A vulnerability in MSN Messenger, can be exploited by malicious people to compromise a user's system.The vulnerability is caused due to an error in the handling of video conversations and can be exploited to cause a heap-based buffer overflow via specially crafted data sent to a user. Successful exploitation may allow execution of arbitrary code, but requires that the victim accepts the incoming Web Cam invitation," Secunia revealed.
"An exploit appears to be available of which the description states it will cause a Denial-of-Service attack on MSN Messenger, and likely allows remote code execution on Win2k SP4 Chinese. If accurate, an offset change is likely all that is needed for this to work on other language releases. According to the report, Windows Live Messenger 8.1 and higher are not affected. While Microsoft has not yet officially confirmed this vulnerability, we advise users not to accept untrusted video conversation sessions at this time," stated an advisory from the Internet Storm Center.
Currently, only version 7.x and older of Windows Live Messenger have been reported to be vulnerable. Versions 8.1 and above have not been confirmed to be impacted by the MSN Messenger Video Conversation Buffer Overflow vulnerability. Microsoft estimates that there are no less than 280 million users of its instant messaging client worldwide.
You will be able to download Windows Live Messenger (formerly MSN Messenger) 8.5.1235 Beta designed with Windows Vista in mind from here.