Microsoft MSN Messenger/Windows Messenger PNG Buffer Overflow Vulnerability



Date Discovered

February 8, 2005


A remotely exploitable buffer overflow exists in MSN Messenger and Windows Messenger. This vulnerability is related to parsing of Portable Network Graphics (PNG) image header data. Successful exploitation will result in execution of arbitrary code in the context of the vulnerable client user. Attack vectors and mitigations may differ for MSN Messenger and Windows Messenger. For Windows Messenger, the attacker must spoof the .NET Messenger service and the client must be configured to receive .NET alerts. However, MSN Messenger may be exploited through various methods in a client-to-client attack. Possible attack vectors for this vulnerability in MSN Messenger include: User display pictures Custom icons that are displayed inline in instant messages Thumbnails of transferred images Background images Since this issue may be exploited in a client-to-client attack for MSN Messenger, it is a likely candidate for development of a worm. This issue was originally described in BID 10857. Further analysis has determined that there are unique properties of the vulnerability that distinguish it from the general libpng issue on other platforms.

Technologies Affected

  • Microsoft MSN Messenger Service 6.1
  • Microsoft MSN Messenger Service 6.2
  • Microsoft Windows Messenger
  • Microsoft Windows Messenger
  • Microsoft Windows Messenger 5.0
  • Microsoft Windows XP 64-bit Edition Version 2003
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Media Center Edition SP1
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Tablet PC Edition SP1
  • Nortel Networks IP softphone 2050
  • Nortel Networks Mobile Voice Client 2050
  • Nortel Networks Optivity Telephony Manager (OTM)
  • Nortel Networks Symposium Call Center Server (SCCS)


Block external access at the network boundary, unless external parties require service.
MSN Messenger communications may be blocked at the network perimeter. This may reduce exposure to clients within the network.

Run all software as a nonprivileged user with minimal access rights.
Running all client software as a user with minimal privileges may help mitigate the impact of a successful exploit attempt.

Do not accept or execute files from untrusted or unknown sources.
Avoid opening image files that originate from users of questionable integrity.

Implement multiple redundant layers of security.
An attacker's ability to exploit these vulnerabilities, to execute arbitrary code, may be hindered through the use of various memory protection schemes. Where possible, implement the use of non-executable and randomly mapped memory segments.

Microsoft has released fixes to address this vulnerability in affected Microsoft software. The fix for Windows Messenger running on Windows XP Service Pack 1 has been revised. Nortel Networks has released security advisory 2005005516-2 acknowledging this issue. Please see the referenced advisory for further information.



Juliano Rizzo of Core Security Technologies identified these issues in MSN and Windows Messenger.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.