A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. The vulnerability results because the Messenger Service does not properly validate the length of a message before passing it to the allocated buffer.

An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.

Affected software:
Windows NT 4.0
Windows NT 4.0,
Terminal Server Edition
Windows 2000
Windows XP
Windows Server 2003

View: Microsoft Security Bulletin MS03-043