IE and MSN Messenger open door for attackers

Update: Problems with the way two of Microsoft's Internet applications process images could lead to DoS attacks and arbitrary code execution

Microsoft's Internet Explorer (IE) and MSN Messenger programs contain a security vulnerability that could be used by attackers to crash and possibly execute arbitrary code on a victim's system when they view a specially crafted image file.

SecurityFocus, a specialist security Web site, published an advisory on Saturday describing a vulnerability in the way IE and MSN Messenger client handles International Color Consortium (ICC) Profiles. ICC is an international colour management system that allows the same colours to be described in a number of operating systems and applications.

According to the advisory "both Microsoft Internet Explorer and MSN Instant Messenger can be crashed if image data with malformed embedded ICC profile data is processed. The condition is likely due to an integer handling error."

But according to iDefense, another security company, the flaws were patched last Tuesday.

A spokesperson from Sydney-based security specialists Pure Hacking, said that if a vulnerable user opens a specially crafted image file, they could allow arbitrary code to be executed on their computer.

"If MSN Messenger or IE opened an image, according to this advisory, it would be possible to at least crash it — it would have to be a malformed image and designed to do that," the spokesperson said.

Additionally, the vulnerability could be used to spread a worm: "If it all holds true, it may be possible to create a worm to take advantage of the vulnerability — but only if it is possible to execute code [on the vulnerable system] — which, at this stage, hasn't be done — there hasn't been a proof of concept, yet," the spokesperson said.

Last October, Microsoft released a patch to fix a similar vulnerability that affected Windows and a number of its other applications. At the time, experts said the potential for attack was "very high".

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.