CVE-2006-0363

Name of the Vulnerable Software and Affected Versions MSN Messenger version 7.5

Description The issue concerns the "Remember my Password" feature, which stores passwords in an encrypted format under the HKEY CURRENT USERSoftwareMicrosoftIdentityCRLCreds registry key. This might allow local users to obtain the original passwords via a program that calls CryptUnprotectData. It is noted that local-only password recovery is inherently insecure due to the need to store decryption methods and keys on the local system.

Recommendations For MSN Messenger version 7.5, consider disabling the "Remember my Password" feature to minimize the risk of password recovery. As a temporary workaround, restrict access to the HKEY CURRENT USERSoftwareMicrosoftIdentityCRLCreds registry key to prevent unauthorized password decryption.