14 DAY TRIAL // The latest release of Windows Live Messenger, build 8.5 is synonymous with the second beta stage for the product and was delivered concomitantly with the unified installer for the Windows Live platform. For users that are not too keen on beta versions, Microsoft is providing (since January) Windows Live Messenger 8.1. But the Redmond company also offered an updated version of MSN Messenger, to coincide with its monthly security bulletins release cycle. MSN Messenger 7.0 is available for Windows 2000; Windows 98; Windows 98 Second Edition; Windows ME and Windows XP. A member of the SWI team in the Microsoft Security Response Center made available additional details related to the vulnerability impacting various versions of its instant messaging client, including MSN Messenger 6.2, 7.0, 7.5 and Windows Live Messenger 8.0.
The flaw "has been fixed in Windows Live Messenger 8.1, which has been automatically offered to users since February 2007. The vulnerability is in the library that handles the video chat webcam protocol. The 7.0.0820 release is a version of 7.0 with the fixed 8.1 webcam library (hermes.lib). Windows 2000 and older clients will need to upgrade to 7.0.0820," the SWI member explained.
"Our calculations have resulted in a high urgency rating for the MSN / Live Messenger issue. [Because the flaw] grants a remote attacker the ability to run arbitrary code on the target machine if the target user performs a specific action (clicks on a link or accepts an incoming message). We rate the issue in MSN Messenger/Live Messenger higher [than the Microsoft severity rating of Important], due to the availability of public proof-of-concept code known to work on at least one platform. From the perspective of an affected user, the knowledge that they could have upgraded some time ago may not be much solace," stated Ben Greenbaum, Symantec Sr. Security Response Researcher.
Microsoft explained its decision to rate the MSN and Windows Live Messenger vulnerability only as Important due to the mitigations that prevent exploitation. The company underlined the fact that only the webcam protocol is affected and exploits have to coincide with an active videochat session. This drastically reduces the possibility of users being at risk, due to the fact that they first have to accept a videochat invitation from an attacker.