COMMAND
MSN
SYSTEMS AFFECTED
Win systems running MSN
PROBLEM
Dmitri Alperovitch found following. After downloaded and briefly
examined the newly released Microsoft's MSN Messenger,
(Microsoft's alternative to ICQ, AIM and other instant messaging
clients) we must say that Microsoft has not learn a single thing
from serious security design mistakes made by other instant
messengers. Here is a list of vulnerabilities Dmitri found in
the first 30 minutes of using it:
1. Password (which is the same as your Hotmail e-mail password)
and contact list are stored in the Registry
(HKEY_CURRENT_USER\Identities). They are both stored as ASCII
values in a binary field (Does Microsoft actually believe that
such amateur trick is going to stop a serious hacker?)
2. The instant messages are sent unencrypted in MIME format.
Curiously, there is a mention of "security software licensed
from RSA Data Security, Inc" in the About box of the
application and the program is apparently using Crypto API Hash
functions for _something_ but it's unclear for which purpose.
It might actually send a password hash, instead of the real
password, in it's communication with the server, but Dmitri
has not been able to check that yet.
3. The program is using Hotmail as its user base. So, if you do
not have a Hotmail account, you apparently cannot use the
program until you register one (nice marketing technique).
However, this also presents a big security problem. Hotmail
has a policy to terminate user accounts after 120 days of
inactivity. So, you might find yourself in a situation where
you've been unable to access your Hotmail account for 3 months
and someone else has registered your account and is
impersonating you on MSN Messenger!
These are only the most noticeable problems discovered by just
examining program's operation, the registry, and very briefly
looking at the packets sent by the program. A closer and more
thorough examination of the packet exchange might reveal further
and maybe even more serious security weaknesses.
SOLUTION
Nothing yet.