Miranda IM remedies vulnerabilities
In the past two days, the Miranda developers have released two new versions of the open-source instant messenger client. The new versions close security holes that attackers could exploit remotely by means of manipulated messages and packets, possibly in order to inject and execute arbitrary program code.
Version 0.7.2 remedied two buffer overflows in the modules that support MSN and Yahoo protocols. The security service provider Secunia had discovered the hole in the Yahoo module that allowed specially crafted authentication queries to exploit a format-string vulnerability in the function that adds Yahoo contacts to the contact list. For this vulnerability to be exploited, however, Miranda has to be connected to a manipulated server. The developers did not provide any further details concerning the flaw in the MSN module.
In addition, Miranda IM 0.7.3 is now also available on SourceForge servers. In addition to problems related to the encoding of Unicode characters in the MSN module, it remedies a security hole in Jabber support. Here, the developers are also not divulging any details; they merely explain that there is a vulnerability in the contact list related to Jabber without saying what the effects are. Nonetheless, users of Miranda IM are advised to download and install the current version of the software as soon as possible.
- Changelog for Miranda IM 0.7.2
- Changelog for Miranda IM 0.7.3
- Miranda "ext_yahoo_contact_added()" Format String Vulnerability, Secunia's security advisory
- Download the current version of Miranda IM