MSN Messenger flaw opens PCs up to hackers

NEWS Microsoft has admitted that a security flaw in its MSN Messenger software could allow hackers to delete files or cripple a user's computer. The flaw enables hackers to exploit a feature that allows chat users in a single virtual location (i.e. a chat room) to exchange text messages in a separate ActiveX-based window. Hackers can exploit the vulnerability to impose a buffer-overflow attack, according to Microsoft. Buffer-overflow vulnerabilities allow hackers to execute potentially harmful programs on a victim's computer, deleting files or crippling the system's security. Attackers can issue the buffer overflow through HTML email or a malicious website. MSN Chat Control, MSN Messenger versions 4.5 and 4.6, and Exchange Instant Messenger 4.5 and 4.6 are affected by the glitch. The flaw was found by eEye Digital Security. Users can download an updated version of MSN Messenger or Exchange Instant Messenger, or download an updated version of MSN Chat control from the company's chat websites. See http://www.microsoft.com/technet for the security notice.