=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN305
_____________________________________________________________________

DATE                      : 13/08/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Windows Messenger.

======================================================================
KB955702
http://www.microsoft.com/technet/security/bulletin/ms08-050.mspx
______________________________________________________________________

Microsoft Security Bulletin MS08-050 - Important

Vulnerability in Windows Messenger Could Allow Information Disclosure
(955702)

    Published: August 12, 2008

    Version: 1.0

General Information

Executive Summary

    This security update resolves a publicly reported vulnerability in
    supported versions of Windows Messenger. As a result of this
    vulnerability, scripting of an ActiveX control could allow information
    disclosure in the context of the logged-on user. An attacker could
    change state, get contact information, and initiate audio and video
    chat sessions without the knowledge of the logged-on user. An attacker
    could also capture the user's logon ID and remotely log on to the
    user's Messenger client impersonating that user.

    This security update is rated Important for all supported editions of
    Microsoft Windows 2000 and Windows XP, and Moderate for all supported
    versions of Windows Server 2003. For more information, see the
    subsection, Affected Software, in this section.

    Recommendation.  Microsoft recommends that customers apply the update
    at the earliest opportunity.

Affected Software

    Windows Messenger 4.7

    Windows Messenger 5.1

Vulnerability Information

Messenger Information Disclosure Vulnerability - CVE-2008-0082

    An information disclosure vulnerability exists in supported versions
    of Windows Messenger. Scripting of a particular ActiveX control,
    Messenger.UIAutomation.1, could allow information disclosure from
    these programs in the context of the logged-on user. An attacker could
    change state, get contact information, and initiate audio and video
    chat sessions without the knowledge of the logged-on user. An attacker
    could also capture the user's logon ID and remotely log on to the
    user's Messenger client as that user.

Workarounds for Messenger Information Disclosure Vulnerability -
CVE-2008-0082

    Configure Internet Explorer to prompt before running Active Scripting
    or to disable Active Scripting in the Internet and Local intranet
    security zone

    Set Internet and Local intranet security zone settings to "High" to
    prompt before running ActiveX Controls and Active Scripting in these
    zones

    Set the killbit for the Messenger.UIAutomation.1 control

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================