In association with heise online

19 August 2009, 11:43

Critical vulnerability in Pidgin IM

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A critical vulnerability in the Pidgin instant messenger application can be exploited by attackers to inject and execute malware on a computer. The cause of the problem is a bug in the libpurple library used by Pidgin, which allows code to be written to memory and executed using crafted MSN-SLP packets. No interaction from the victim is required and an attacker does not need to be in the victim's buddy list to carry out a successful attack.

A report on the vulnerability from Pidgin users states that the vulnerability has been fixed in Pidgin/libpurple 2.5.9, but the discoverers of vulnerability, CoreSecurity, states that the first non-vulnerable version is 2.6.0. The confusion is exacerbated by the fact that the developers yesterday released versions 2.5.9, 2.6.0 and 2.6.1 in quick succession. Users wishing to play it safe should simply install the latest version. The latest version for Windows remains, however, version 2.5.8. Other applications such as Adium are also affected by the vulnerability.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit