Critical vulnerability in Pidgin IM
A critical vulnerability in the Pidgin instant messenger application can be exploited by attackers to inject and execute malware on a computer. The cause of the problem is a bug in the libpurple library used by Pidgin, which allows code to be written to memory and executed using crafted MSN-SLP packets. No interaction from the victim is required and an attacker does not need to be in the victim's buddy list to carry out a successful attack.
A report on the vulnerability from Pidgin users states that the vulnerability has been fixed in Pidgin/libpurple 2.5.9, but the discoverers of vulnerability, CoreSecurity, states that the first non-vulnerable version is 2.6.0. The confusion is exacerbated by the fact that the developers yesterday released versions 2.5.9, 2.6.0 and 2.6.1 in quick succession. Users wishing to play it safe should simply install the latest version. The latest version for Windows remains, however, version 2.5.8. Other applications such as Adium are also affected by the vulnerability.
See also:
- Libpurple msn_slplink_process_msg() Arbitrary Write Vulnerability, a report from CoreSecurity.
- MSN overflow parsing SLP messages, a report from the Pidgin developers.
(djwm)