A vulnerability (http://secunia.com/advisories/26570/) in MSN Messenger poses a severe risk of compromise for users of older versions of the software who accept untrusted web cam sessions.

Security bugs involving the handling of video conversations (web cam streams) by some versions of Microsoft's chat client create a means for hackers to inject hostile code onto vulnerable systems. Hackers first need to trick potential marks into accepting an incoming Web Cam invitation, before launching specially malformed data streams.

The heap-based buffer overflow vulnerability affects MSN Messenger version 7 and below. No immediate patch is available for older versions of MSN Messenger. Exploit code for this vulnerability is publicly available, security clearing house CERT warns (http://www.kb.cert.org/vuls/id/166521), a factor that makes launching an attack far more straightforward.

Users are encouraged to upgrade to Windows Live Messenger 8.1 or later, which is immune from the vulnerability. ®

Related stories

Microsoft to buy chinwag platform Parlano (30 August 2007)
http://www.theregister.co.uk/2007/08/30/microsoft_acquires_parlano/
Skype worm leaps onto MSN (24 May 2007)
http://www.theregister.co.uk/2007/05/24/skype_msn_worm/
Microsoft brings instant messaging to Xbox Live (10 April 2007)
http://www.reghardware.co.uk/2007/04/10/im_on_xbox/
MSN punts 'scareware' (21 February 2007)
http://www.theregister.co.uk/2007/02/21/msn_messenger_scareware/
Microsoft launches Windows Live package (13 December 2006)
http://www.theregister.co.uk/2006/12/13/microsoft_launches_windows_live_package/
Child protection extends to MSN (23 August 2006)
http://www.theregister.co.uk/2006/08/23/msn_ceop_collaborate/
MSN Messenger worm seeds zombie networks (4 February 2005)
http://www.theregister.co.uk/2005/02/04/msn_messenger_bropia_worm/