Critical holes in Trillian Instant Messenger

Security service Zero Day Initiative (ZDI) has found three critical vulnerabilities that allow attackers to infect the computers of Trillian Instant Messenger users with malicious code. The vendor has responded by releasing an update to close the holes.

When processing XML through functions of the talk.dll dynamic link library, malformed attributes for the IMG tag can cause data to be written beyond the limits of an allocated heap buffer. Attackers do not require to be authenticated to exploit this hole and inject and execute arbitrary code.

Missing length checks in the functions for parsing MSN MIME headers (X-MMS-IM-FORMAT) can lead to a stack-based buffer overflow. Again, attackers can exploit this vulnerability without prior authentication, and can inject malicious code simply by sending specially crafted messages to potential victims.

The aim.dll library calls sprintf() to process tag values without adequately sanitising the supplied parameters. When excess length attribute strings within the FONT tag are submitted a buffer overflow may result, allowing attackers to execute arbitrary code under the privileges of the logged in user. To exploit this vulnerability, attackers need to either send specially crafted messages via the AIM protocol or establish a direct connection to their victims.

According to ZDI, vendor Cerulean Studios has fixed the vulnerabilities in Trillian version v3.1.10.0. Users of the software are advised to download and install the current version as soon as possible.

See also:

• Trillian AIM.DLL Long HTML Font Parameter Stack Overflow Vulnerability, ZDI security advisory
• Trillian Multiple Protocol XML Parsing Memory Corruption Vulnerability, ZDI security advisory
• Trillian MSN MIME Header Stack-Based Overflow Vulnerability, ZDI security advisory
• Download the current version of Trillian

(mba)