PT-2006-1434 · Microsoft · Msn Messenger

Published

2006-01-22

Updated

2018-10-19

CVE-2006-0363

CVSS v2.0

2.1

Low

Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions MSN Messenger version 7.5

Description The issue concerns the "Remember my Password" feature, which stores passwords in an encrypted format under the HKEY CURRENT USERSoftwareMicrosoftIdentityCRLCreds registry key. This might allow local users to obtain the original passwords via a program that calls CryptUnprotectData. It is noted that local-only password recovery is inherently insecure due to the need to store decryption methods and keys on the local system.

Recommendations For MSN Messenger version 7.5, consider disabling the "Remember my Password" feature to minimize the risk of password recovery. As a temporary workaround, restrict access to the HKEY CURRENT USERSoftwareMicrosoftIdentityCRLCreds registry key to prevent unauthorized password decryption.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2006-0363

Affected Products

Msn Messenger

PT-2006-1434 · Microsoft · Msn Messenger

CVE-2006-0363

Related Identifiers

Affected Products

References · 4