Users login

Create an account »


Users login

Home » Hacking News » CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX Cont

CERT Advisory CA-2002-13 Buffer Overflow in Microsoft's MSN Chat ActiveX Cont

by Nikola Strahija on May 11th, 2002 Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an instant messenging client. A buffer overflow exists in the ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user.

I. Description

A buffer overflow exists in the "ResDLL" parameter of the MSN Chat
ActiveX control that may permit a remote attacker to execute arbitrary
code on the system with the privileges of the current user. This
vulnerability affects MSN Messenger and Exchange Instant Messenger
users. Since the control is signed by Microsoft, users of Microsoft's
Internet Explorer (IE) who accept and install Microsoft-signed ActiveX
controls are also affected. The Microsoft MSN Chat control is also
available for direct download from the web.

The tag could be used to embed the ActiveX control in a web
page. If an attacker can trick the user into visiting a malicious site
or the attacker sends the victim a web page as an HTML-formatted email
or newsgroup posting then this vulnerability could be exploited. This
acceptance and installation of the control can occur automatically
within IE for users who trust Microsoft-signed ActiveX controls. When
the web page is rendered, either by opening the page or viewing the
page through a preview pane, the ActiveX control could be invoked.
Likewise, if the ActiveX control is embedded in a Microsoft Office
(Word, Excel, etc.) document, it may be executed when the document is

According to the Microsoft Advisory (MS02-022):

It's important to note that this control is used for chat rooms on
several MSN sites in addition to the main MSN Chat site. If you
have successfully used chat on any MSN-site, you have downloaded
and installed the chat control.

The CERT/CC has published information on ActiveX in Results of the
Security in ActiveX Workshop (pdf) and CA-2000-07.

This issue is also being referenced as CAN-2002-0155:

II. Impact

A remote attacker may be able to execute arbitrary code with the
privileges of the current user.

III. Solution

Apply a patch from your vendor

Microsoft has released a patch, a fixed MSN Chat control, and upgrades
to address this issue. It is important that all users apply the patch
since it will prevent the installation of the vulnerable control on
systems that have not already installed it.

Download location for the patch:

Download location for updated version of MSN Messenger with the
corrected control:

Download location for updated version of Exchange Instant Messenger
with the corrected control:

Microsoft also suggests that the following Microsoft mail products:
Outlook 98 and Outlook 2000 with the Outlook Email Security Update,
Outlook 2002, and Outlook Express will block the exploitation of this
vulnerability via email because these products will open HTML email in
the Restricted Sites zone.

Other mitigation strategies include opening web pages and email
messages in the Restricted Sites zone and using email clients that
permit users to view messages in plain-text. Likewise, it is important
for users to realize that a signed control only authenticates the
origin of the control and does not imply any information with regard
to the security of the control. Therefore, downloading and installing
signed controls through an automated process is not a secure choice.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history. If a
particular vendor is not listed below, please check the Vulnerability
Note (VU#713779) or contact your vendor directly.




The CERT/CC acknowledges the eEye Team for discovering and reporting
on this vulnerability and thanks Microsoft for their technical

Feedback can be directed to the author: Jason A. Rafail

This document is available from:

CERT/CC Contact Information

Email: [email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more

Getting security information

CERT publications and other security information are available from
our web site

To subscribe to the CERT mailing list for advisories and bulletins,
send email to [email protected] Please include in the body of your

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.

Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 2002 Carnegie Mellon University.

Revision History
May 10, 2002: Initial release

Version: PGP 6.5.8


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »