Reported March 9, 2004, by Microsoft.

 

 

 

VERSIONS AFFECTED

 

·         Microsoft MSN Messenger 6.0 and 6.1

 

 

DESCRIPTION

 

A vulnerability exists in Microsoft MSN Messenger that could result in information disclosure on the vulnerable system. The vulnerability is a result of a flaw in the method that MSN Messenger uses to handle a file request. An attacker can exploit this vulnerability by sending a specially crafted request to a user running MSN Messenger. If the attacker exploits the vulnerability successfully, he or she can view the contents of a file on the hard disk without the user's knowledge as long as the attacker knows the location of the file and the user has read access to the file.

 

VENDOR RESPONSE

 

Microsoft has released security bulletin MS04-010, "Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)," to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.

 

CREDIT

 

Discovered by qFox and Mephisto.