=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN362
_____________________________________________________________________

DATE                      : 12/09/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running  MSN Messenger,
                                 Windows Live Messenger.

======================================================================

http://www.microsoft.com/technet/security/Bulletin/MS07-054.mspx
______________________________________________________________________

MS07-054 - Vulnerability in MSN Messenger and Windows Live Messenger Could
Allow Remote Code Execution (942099)

Affected Software:
    -MSN Messenger 6.2
    -MSN Messenger 7.0
    -MSN Messenger 7.5
    -Windows Live Messenger 8.0

Non-Affected Software:
    -MSN Messenger 7.0.0820
    -Windows Live Messenger 8.1

Full MS07-054 advisory:
    http://www.microsoft.com/technet/security/Bulletin/MS07-054.mspx


Vulnerability Details:
	
MSN Messenger Webcam or Video Chat Session Remote Code Execution
Vulnerability - CVE-2007-2931

    A remote code execution vulnerability exists in MSN Messenger 6.2, MSN
    Messenger 7.0, MSN Messenger 7.5, and Windows Live Messenger 8.0. The
    vulnerability could allow remote code execution when a user chooses to
    accept a webcam or video chat invitation from an attacker. An 
attacker who
    successfully exploited this vulnerability could take complete control of
    the affected system. Users whose accounts are configured to have fewer
    user rights on the system could be less impacted than users who operate
    with administrative user rights.

    This vulnerability requires that a user be signed on to the MSN 
Messenger
    or Windows Live Messenger service and accept a webcam or video chat
    invitation for any malicious action to occur. Therefore, any system 
where
    MSN Messenger 6.2, MSN Messenger 7.0, MSN Messenger 7.5, or Windows Live
    Messenger 8.0 is used, such as workstations or servers, is at risk from
    this vulnerability.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================