New MSN Messenger Worm Another Reason To Patch IE Browser

[pyro]

Windows users wondering why they should bother installing the latest security patches for Microsoft's Internet Explorer browser found new motivation Wednesday: fast- moving instant-messenger worms that appear to be built on code security researchers published to demonstrate one of the browser's vulnerabilities. <p>At least one of the worms is already being analyzed by anti-virus companies, who say code some call CoolNow appears harmless, although its did attempt to forward the e-mail addresses of MSN Messenger users to a mailbox at Wanadoo's Web portal for the Netherlands.

The worm takes advantage of a bug in Internet Explorer browsers that allows a hacker to use a common JavaScript function imbedded in Web pages to access files on an unsuspecting user's hard drive. <p>In what they said was an effort to speed Microsoft's efforts in patching its software, programmers Tom Gilder and Thor Larholm demonstrated last week how what became known as the "Document.Open" bug allowed them to easily manipulate ActiveX controllable Windows software like MSN Messenger. <p>A "super-patch" released by Microsoft Monday fixes some well-known security problems in the IE browser version 5.01 and up and would prevent the exploitation of MSN Messenger demonstrated by Gilder and Larholm. <p>In their demonstration, the two programmers showed how a malicious individual might be able to harvest the MSN Messenger buddy lists of those who can be enticed to load a specially crafted Web page. They also demonstrated how access to ActiveX controls allowed them to send messages to those contacts which would appear to come from an unwitting MSN Messenger user whose buddy list had been exposed. <p>The CoolNow worm spotted Wednesday may have been built from code copied from Gilder's and Larholm's example. Numerous variables in the code for which a programmer could have selected his or her own labels were named exactly as those in the sample exploit. <p>New in CoolNow, however, is code that sends every contact in an MSN Messenger buddy list an alert that urges those individuals to visit a particular Web page. However, Messenger users with unpatched versions of the IE browser might have been infected by the same worm after loading the rogue Web page Wednesday, causing their systems to send the same message to all contacts on their buddy lists. <p>The Web site originally pointed to by CoolNow has already been taken offline, but there are reports that variations on the "Document.Open" exploit are directing MSN Messenger users to other Web pages across the Net. <p>Larholm reiterated early today that hijacking MSN Messenger is just an example of what a hacker can do with the "Document.Open" vulnerability in unpatched versions of the IE browser. <p>"This allows you to remote-control a user's entire Windows machine," he said in a message posted on the Slashdot Web site. <p>Microsoft's bulletin and download instructions for the most-recent IE patch are here: http://www.microsoft.com/technet/security/bulletin/MS02-005.asp.