Critical IM bugs hit Yahoo, Trillian
It wasn't clear when either flaw might be patched
July 17, 2007 12:00 PM ETComputerworld - Security researchers yesterday disclosed critical vulnerabilities in two popular Windows instant messaging clients, Yahoo Messenger and Trillian.
The Yahoo Messenger bug, which was posted to the Full Disclosure mailing list Monday by Rajesh Sethumadhavan, is a buffer overflow flaw that can be exploited with a specially crafted address book entry. Messenger immediately crashes when it encounters the malformed entry, said Sethumadhavan, but it may also be susceptible to code execution, meaning an attacker might be able to inject his own malicious code -- a keystroke stealer or a spam bot, for instance -- into a compromised PC.
Although Yahoo Inc. has not posted a patch for the vulnerability, late Tuesday a company spokeswoman said that the security team is working on a fix and would have something "shortly."
Trillian, a multiservice client, also sports two bad bugs, said other researchers.
A trio made up of Nate Mcfeters, Billy "BK" Rios and Raghav "The Pope" Dube identified two vulnerabilities in Trillian's handling of the AIM URI (uniform resource identifier). According to Mcfeters, Rios and Dube, the Trillian flaws are similar to the Internet Explorer/Firefox vulnerability that raised a ruckus last week.
"The first example shows the dangers of passing unfiltered arguments to programs that have registered URIs (much like the firefoxurl: vulnerability)," the three wrote in their advisory. "The second example shows that even if arguments are sanitized [emphasis in original] by the browser, many programs can be remotely pwnd via registered URIs and poor development practices."
US-CERT posted its own warning yesterday as well. The bugs have been confirmed in Trillian 3.1.6.0, added Copenhagen-based vulnerability tracker Secunia APS, which pegged the problems as "highly critical," its second-most dire rating.
The Web site of Trillian developer Cerulean Studios did not offer an indication that a patch for the Trillian flaw would be forthcoming.
instant messaging
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
