Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Trillian Vulnerabilities Open to Remote Exploitation



 By: Brian Prince
2007-05-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Three flaws affecting the Trillian IM chat application that could lead to remote exploitation by hackers are fixed in new Trillian version.

Cerulean Studios has patched multiple vulnerabilities in its popular chat application that could have been exploited remotely by attackers.

Cerulean Studios are the makers of Trillian, an instant messaging consolidation application that supports IRC, ICQ, AIM and MSN protocols. In its latest version of Trillian, the company fixed three vulnerabilities in the IRC (Internet Relay Chat) module that could have been exploited remotely and given attackers the ability to intercept private conversations or execute code, security researchers at iDefense Labs reported.

Resource Library:
Researchers at IM security provider Akonix Systems said the number of malicious code attacks over IM networks is on the rise. Akonix tracked 38 such attacks during April, including IM worms such as Pykse, Samo and Tiotua.

Click here to read more about message security and compliance issues.

"Malware continues to be released through IM networks, and is on the rise again for the first time since January," said Don Montgomery, vice president of marketing at Akonix. "Businesses cannot ignore the liabilities and potential damage they are opening themselves up to with unmanaged IM applications and networks."

According to iDefense, it is possible to cause the Trillian IRC client to return a malformed response to the server when handling long CTCP PING messages with UTF-8 characters. "This malformed response is truncated and is missing the terminating newline character," the iDefense advisory states. "This could allow the next line sent to the server to be improperly sent to an attacker."

In addition, whenever a user highlights a URL in an IRC message window, the chat application copies that data and places it in an internal buffer. If the URL contains a long string of UTF-8 characters, it is possible to overflow a heap-based buffer, corrupt memory and open the door for code execution, iDefense officials stated.

The final flaw allows a heap overflow to be triggered remotely when the IRC module receives a message that contains a font face HTML tag with the face attribute set to a long UTF-8 string. iDefense warns that attackers could use this vulnerability to intercept private communications for Trillian IRC users or execute code with the credentials of the currently logged on user.

The vulnerabilities affect Cerulean Studios Trillian 3.1, and have been addressed in Trillian version 3.1.5.0.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Trillian Vulnerabilities Open to Remote Exploitation
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}v6EvK9%wkڶ<==: I)CR;[7]hɗNn:-`U* wAȅ3!9)ٟ0O,zIj}ݻPAezAUM JԶO7RM3ĩ /4w7GlJ{'AT{j xL5uΚMH}ٚ7'x2)Xm$8z@'AjZw$6(GJ{8KE!@׶շ8>vP ߨUaÙO,}!*{>&J%h1Qu Q{/ !X]~D41ٮq 4]b'*cO^3j a㥨 aP`\9t} ^- Go&lw&"ScO$ӡ%NfI%p/0Q#@oڮSTHf̲;o tG ob}uק&[! bS 3MuN_FBS IgK[a楣 ?GpA'ס"'ml_k| tvs<&s~3 CoZHUK6ԃ)C(p}=\'BL}:/DzEӝÌfؖq[th(퉦GZMQNJʑrxt,^/[,\hoz/ j]: $(֝[hmiu]+iG0^=;yԸ}  d}+5'}&KDeR)Nfi& 0h!5ttXB,9DF nOnF)ډVR]j'F[V@aF`%pfQU>gsKj]:6>:sd?ekfy3ժ?T2ؕgxg4X:n[77VOλ=j _ܹOlDM Wh6w0N[_lxmķaf; dPp9L+pZ|$~hu_d[ןN/:g ML[LJ0dN`mYn_H!-OAO~@X*,>Ja͢4-I`o$3NE ;- uv5Px۬)MZ!rƒ uKs^8nZK0[RFp\ ДQ#\ذ 1"%̟hyՋ,}Et"Aͩ8 .+J!bN3E !\J!}! g|8Jn.r? [&fu՜Ӆ]We>ǘ*}י4^Eݫ~?]6LqJjhX.B2iKB0.pkۛZrϏRCxQ9R_W, FKP̶#ؠe)u{yΆNQ'}5>'4}t>'჎$>h&ƋCri|BݘZ H70i\+Oݺ~L^TŞ+LК#0#GE 6]LR}t 9q HhQ0|s0Y[3aP#[ӽ:Fz?a= 0.ZmAe^~}¢!1y@Xȁ{f`sowe#97(u%w2ZK ] cRRR$S_]HPw9DJ B!B0HV0(VG aô\.y"m':.܉;T!ڹLX>أXB YX/E_R23#CdɬaX91{MfT`"[OKᙖ6FlyxhQNhڛ-Â%1Aμs6I`0EHC;N-: xC1!q"% t0x>fXfZ1kpJa"@ 2iE3ˁ2$vTD>L˄Fr=6`=϶Y$uuK:0s k2'yv=.Q1jWuϙܑm˹ȇroBoڅRU眺_dA_fMjlȜu>IVBO7cnS^ښtɕu.FhJ~*tz~#JCݼ~hé;h{q#%MAw=U檳@:[6[K7˦I8ʰ.Z.UYlc70Ԣ(P|M$"!lsiͰ,C /0|Cb&^ethQsuC|pöV/UKW3BZYSj2ej-[`B]PeܠQ@3%XsPQ[ |tkuꟹPCߵK|> 7S=dsqu3$0TϟQ,C* ( >Eװ DؙZSS{<`m1Jx>hx# d\6XbO`#Všk/f;ˋ°^]v4~|2m V!2GD+ه0`-EDMR^-#0iTWJIU/Ҥ`k@Lf2,rǮmAu،; 4=}Zj\Z<>7Q>U< ıςL׃REaT8j]x 20\n}OДa˘;|q7Nl*IÒTRyP2~2j&8x_ℯ/8͠83Yoÿο(GCzCp`>sW.}O>yN -h'(0ZN O*GJ?#2ByQYhw\rRkCL˧FxroՓ)u7uav9Aخ kqAmY1pWgPV#85 '& aBg%:!pwC):2,npw]0XAG50qHG&{+E689 n:+@+jSV,tu `_ nM=זG$*X  d5}u*գZIe߯yUbY څHB:GdDC+`Zv*6'wj6Jh)6YS!RW dĞeeKelkC鳨ݹY$8 MGFi$]|;P vfVɍZvN'_&Ʀ(ɘVNaےf28ڇF18=[? |{.r :=Fh=Эt;ۧq;?,WE8&}kPow(*Gq3`3"豥mBtH+'&GlE;:Ҏ*6Xk<v/H| ~[qw?IQ9p驔Jg HWt<,#?3~egYLg$R):*9Q_Qk0KJ}J_cNf?i<& ]l{pXXJqV3^c~:)}C/mN9˝~B!g9o <%E٦=ԛc2L:1D&rޚSE[B-{t#1QLwS1|$zdeanKlxӌ#+y-EY-V6yғ;qz])ELU9&Q񰸇{~T=:Jl;spq"?h9c7:^jG/sy"O+:^-,':]@!_zϜGoIM21/ȄKԍ)A/x9GQ r0xf&4NlEWy/("+x^q")Xf>VAv,x\J}[< H-@N zP ߼=oq>p]9Qz AC~gM}\0n;~6rO07)۽l9niimǡ8 0^l"4P$EUՊZFrVU $]eNFftZt@2&/lFǵ4 Z2fP:;G׍[qGecz0XoW{U"u?3i8e~WJ]i}E)]K5"v%KJ*IɧE,IQ)"{"F%t`5o14НLl*z>;-35&i 1N6;xo :l0̰@ b@ff7g\8 9SP`-ݺܭ)³$`DI@R缩gA j(l ڄ0\f> V*OJWc+YT=9bzQ%F}?YS+xϗiL@g4ۺg Y苪eH m sgGa1b)}@dj?xk;Ҳ&RIsF}/LĞ](b?b@,!?̓ I"H4 zs$|cx>!= erzD(,!eՒV-X#˾ӭQGeqpOVI&E;l'אX.5MИ P0 ٠A\7_eVfK, xnKk³@8T T:&.a'g? @0a$<նa*Zwt7/P'{) hN*,91qS+a?Lhޗ%/;s - ^P%X>N{\ZmK'5c: < zȁnұ?AM) U Ӏ%e<": +Β{$%Oe 5cºO|䳰ǟX:AFH)A*ɡSĄT@M2W>8&]/fiaԙLD{6?F6gʣ "o4E)KJIRoӧDD`=`kOd)cϰ @i` i0 s[$ˑnRwڮ{+ϤN{i>|6F0<v@7+ #"o<鵝*me˾%,kx,aQoўA%NUg8Lzw+cR4MS8 h{% $0?':BN *'<}|b-[|O?lNbj-9x-$۴ x2g{<oM\ެ@t}7%T^C5g0pt*L\7i HEl򾮦Tdm\ NaO0VM$Ir{[[EmrX6H^j/,glꮇ;ko~LiԥSH0v}OtGX𨸮;&q- oC JM;7po"!X +=2  DDK}5ƴ|I6^&wwi6Rhe B9m隺`OԗP}2)f1ޖwF  'xZf63sjqwZݝpoD7c"\̸M1 %5y1hokcۚ_۵ fO(ntv0e&XF~xqJC]6sI&A0P#5#T}3K6QAs~}?Β;u)o6K,t횆k^kof JGpـBcĈocޙk:^ n)Lg;ݞ!s¤$}f]π^ n # 06Q/N>O!J /mQDǚbyvFc3*Pݱ`pxR ϖE\ s V\-pu&@%}y6͝&K'31%$z^4al߼ ۩ ,fr*A[o;6௶eul>A/eԓ}`YmZۈY*yWvZZJ mYwx02zlï~JYf#e։ +V$N)1gL4 kQl(|r7{L,:'rpBk҃%>?w}<ͧ;2(P {j闶UЄI8O:ϨO-(p ۸{[dI'HrKt.4,1{.$Qw9ǶL_UkU~;\G~_*RGq dPb18!˦26,}e=F?Px/JC7GUNsqI"=6i[[Ʈ,Jfad6|$ƽlE߽gL2ҍۉ^4Gcu\[SS[ZnjUj9DNE0H ^XC0Ĕ~4. dRC8m/+iyp\+G6qΌ"F$drK1".sI(Ӫʑ^r~^ :VXuV%.g˘xVH=Қ0&^OE*ނ0H>P7R rRM`7|ŸCYM13цX50yfB׵GapvDwd|W@O[fkwhP♛U,y8UbH)ާ찌71ӍtuIEWy 9b).g#'xNLUtm-3|H-g:w:~1~"懵: 3S\YrVfЖh ͬ-j5%Vd]%F Rl 3];~  AKut G Ki~RJJMT߈fVܞUk*G@|tṜOĈVRR>fD9mǖA&W1h?`8фC c &[)<6$A .kx>aГORB2I11K= ߭-Ìk3dm*+x߰VIm{d72[ eꊍBLS`Nmvٹ WE{0haȈ>_s2Cߑ? 죇BG2e({r`(0&؝:*\˘ǪC~"?Ĉo9fHג sA֨o>ʑR`HU Ft883 *ҊF2*mM _{>nrnR-i`Ik„ ld Dps}<1@}vLI!5S"f5,ǰlFLNHөM۹fbWoH$P`+wdc>b|9gA(_$RK)uotQ:.( oI??­!~టRfjs# x_R 3N]<,rzhj߀dz?,Gy'a~2?yu:aC棙-ݳ5KfltQQ(b8+Mt?83,ȏݢTHmݜ(8S $Ѕ:x,@#!9ωJI{raeG'ZYQD(ɮ+뽩e2'{xCbRSJ9z53IǪZN*_P;fE#{8~ROSz% %uW0`A i2f2t\KD$$ ͈u0՝!XF 9ƪ^MNgӽ9%lkMߢԲQwi{sվuƹLǙ_ }m)|Q)X7OGYFyfvʜP:ͅfU;șkhw rV C^rYmn¸~(hO1uـtڅFdRR `NjP1(%gMfNyʻ9-AS~gρ>9yBCgsyUhtZ9пNN?ӹ)wr_h|//E|9s _ /}/s{ ̡e)KD3)r)˜r߫ʑ+B9.n~kx:O/?>7??}P9g@M^9M@79_zyʛ9rּƅ)Ӝrq/ 苼 Oy射:)?}VQ<_`k9t _s̭L_:gVz]!,.5PW[k /Y3ݲ7Iլ 6 u=( }^1B8 gvYt{zMtKn ] x髰 %>  #r75ikxg?9/yd֦WVFkp'k͠6K(WL֪1y}2So١Oh]5OKWY-KbaP$_|rFsVj?f> _;ݻj^ 3K쓭/º>ga=f^*B8D#w`1zI<0vGm=SHN7nޣ97&; P7HGRP*V+rR8~O+p=5 = O1Q5YUdF*j|X,)g /(@#غM{%}C7":fȳRLq u+ҷJ!'\Cx'«lL˘͛YʌMMu?/{_ۉ F2)ebb{ˈLbT|Jx /p 9^q|L:AÆ/^Vٍv"n<2w)z6/dP4ǝa&rV4@Mz4z<(.>Pų l1@ҙ z{.u/J\șP˦=w\@>DBeD˦U憼B` j?9[n%c$QS "9<;$`B#s{̪4yxaw.kz>r* p1q.`:LiF`wƸ&f\)!𰙄i׌o3ċ 21wIf|5@uWɧI5;~ɩ ( kFWo L#by2&6F7LrwcO_V \ nKAnﺳc^kwfho RO^!MVE:Rwlk&5Jx Dƫz`/&?\vRi Cfe&xFlvK}T.I sEeבe,&J =B:̈́dX.N`'ס)e4tm_ I[Q=$NSPsXf@mM]-n]{.|ۃcq ;}L.˻1*D[ n='IDπnuM$f@gYl)VxRDR]nm7+(\d~d;kWAoL3SY,> N_dvO~5"%ia'R1<zH|k,XoϨT*L[K |YK:AM"Kd/-YoˊL3t#(3R^Vzo& J,爔事6SAQ^+yJ>? T|- 5{\6LDRg }N0yN:]p*sˠvsC@_vܥeUhJl;9f/xEyV?ĵ 3& Mwخ;Oq^'d9c7ԜP1$+nvGT g>5'ك|2hM(ْ0F/z >D/7a{} r@c bܢ_\n^}mӟfJ.RTnbbq 8gf;KM> : 8&U];#6sQ/uGׂ}Q'{v0o>`5/#]^&c`H؂{XiW1JpC)tO!?CNt3#" `GYu`kr8ǩk[mx }uke!)1:7f˟]lׁQ#iȥ+`j7E]EtᦁAwTM\7oQaWO_<.tcbsן<*Il}ra|X ^|޹+o3ȉe\g0^ηp2$Ӿ82#" $$zIW{{Q0&iEȓl`Cv_.~ph;?҈YA wVǰ-XF!&ۅ ?O80Ux|-h\};X\e,8Lg񸜹ނ"?D=:HVw|pm j 6Wxozc|[w0XjPtP>9/z0 \MkÐpaif#3S3 {߂ ixv4 /F"@Ԃ'g"e})IDy)/́/($3}E.tʢ^t{ X7u㖗6>u?]hI:^ RzVs>]/ ~c Whc<y &FϖguUhT;IxdMn+:cSEᘸe=9Rk.{Q'b(5lS2G4K_jjvcoϦO*L⇅ wm&l2)v}mb-c6C-{\!