A vulnerability in Windows Live Messenger has been reported by
JAAScois. The vulnerability is exploited by loading a specially
crafted contact list (*.ctt) file which causes an overflow allowing
arbitrary code to be executed.
From the point of view of a malicious user, he can just send the
specially crafted .ctt file through e-mail and social engineer a
target user to load the contact list to Windows Live Messenger thus
exploiting the target user’s system.
More information can be found here.
