Shoutbox

To take things in a bit of perspective:

Such flaws have never been misued to hack someone. They are possible security issues and many of them are even theoretical security issues (they could be used in theory, but never are in practice). 99.99% of them are found before anyone has been able to abuse them, if they even were possible to be used in that manner in practice. This is a very important note to take (especially for paranoids) when it comes down to heap buffer overrun flaws (which are what those security issues were). For more info on such buffer overrun issues see some very technical sites and papers. The important thing to remember is that those are possible in theory, but in practice it seldom works and it would be more "luck" than anything else; though they are considered more dangerous than stack buffer overruns (the later are very common actually in many programs).
PS: the only known virus which was somewhat succesfully in exploiting such a heap buffer overrun existed in 2002, afaik.

So, many of those issues are extremely hard to abuse and you need an extremely good programming knowledge and knowledge of the issue in order to even be able to, very maybe, abuse it in practice, and it would in practice only work in very specific situations and conditions. And the people who would be able to do this, are not going to bother to hack you, they probably have more interest in other things.

Remember that 99% of all virusses (especially the onces you could encounter in Messenger) are made by so called "script-kiddies", people who only have a very limited basic knowledge of what they are doing, and they usually do it in a basic programming language or even a script language more by copy-pasting code than actually programming.

Also, the chance that some real hacker will hack you is extremely small. Usually hackers do not hack one individual, they simply scan thousands of computers at random to find some weakness.

As for Messenger, it is not because version X has a flaw that the next update will have that flaw also. That is why it is extremely important to always install updates (goes for _any_ software, including Windows itself) and why it is very important to always mention the full complete version number. For example, there have been like 10 different "Messenger 8" versions. However there only was one Messenger 8.0.0812.

Don't worry about such things too much as long as you make sure you always have the latest version. And never execute a file which you recieve from someone in Messenger or by email, unless you know for sure that the file is safe and unless you expected the file.

Today the latest Messenger versions which can still be used, on Windows, are:
- Windows Messenger 5.1.0706 (for XP only)
do not confuse this with Windows Live Messenger... (and this shows the importance of version numbers and especially naming the things by their proper real name
- MSN Messenger 5.0.0575 (for Windows 95)
- MSN Messenger 7.0.0820 (for Windows 2000, 98, 98SE, ME and XP)
- Windows Live Messenger 8.1.0178 (for Windows Server 2003, XP and Vista) edit: depricted
- Windows Live Messenger 8.5.1302.1018 (for Windows XP and Vista) edit: depricted

Thus, for example, MSN Messenger 7.5 and Windows Live Messenger 8.0 to 8.5 have been dropped and can not be used anymore. They have been dropped because of such buffer overun issues/bugs. If you once used them, you must update to the latest version.

The latest version of Windows Live Messenger can be found here: http://messenger.live.com/

Also read:
http://messengersays.spaces.live.com/blog/cns!5B4...30829E!29791.entry
http://www.microsoft.com/technet/security/bulletin/ms07-054.mspx
which talks about that specific Webcam security issue.

To answer your original question: There were possible security issues where someone could execute some remote code on your computer by initiating a video chat. This means they did _not_ need to send you any files, like it was suggested a couple of times in this thread! However, as I also said before, 99% of all 'virusses' are spread by contacts sending files though (knowingly or unknowningly). So don't accept anything, and especially don't execute anything unless you know absolutely it is safe. If you have the slightest doubt, don't execute the files.

quote:

---

Originally posted by CookieRevised
Such flaws have never been misued to hack someone. They are possible security issues and many of them are even theoretical security issues (they could be used in theory, but never are in practice). 99.99% of them are found before anyone has been able to abuse them, if they even were possible to be used in that manner in practice. This is a very important note to take (especially for paranoids) when it comes down to heap buffer overrun flaws (which are what those security issues were). For more info on such buffer overrun issues see some very technical sites and papers. The important thing to remember is that those are possible in theory, but in practice it seldom works and it would be more "luck" than anything else; though they are considered more dangerous than stack buffer overruns (the later are very common actually in many programs).

---

I would have thought the reliability of a stack buffer overflow would make them more dangerous? Then again, I've never heard of a heap buffer overflow exploit before.

Thanks alot guys for all the info ^^  and links