In association with heise online

19 June 2007, 10:55

Trillian executes malicious code from messages

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider iDefense has found a security flaw in the popular Instant Messenger client Trillian. A buffer overflow can occur in the handling of messages encoded in the Unicode transformation format UFT-8. As a result, arbitrary code can be executed.

This error occurs when Trillian word-wraps UTF-8 text, such as for an authorization request. The routine that handles this request erroneously uses the width of the window as the value for the size of the buffer. Attackers can exploit this flaw by means of a specially crafted text message to inject arbitrary program code that is then executed with the user's rights.

Cerulian Studios, the vendor of Trillian, has already released version 3.1.6.0 to remedy the bug. Users of this software should install the update immediately.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-733085
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit