Trillian executes malicious code from messages
Security service provider iDefense has found a security flaw in the popular Instant Messenger client Trillian. A buffer overflow can occur in the handling of messages encoded in the Unicode transformation format UFT-8. As a result, arbitrary code can be executed.
This error occurs when Trillian word-wraps UTF-8 text, such as for an authorization request. The routine that handles this request erroneously uses the width of the window as the value for the size of the buffer. Attackers can exploit this flaw by means of a specially crafted text message to inject arbitrary program code that is then executed with the user's rights.
Cerulian Studios, the vendor of Trillian, has already released version 126.96.36.199 to remedy the bug. Users of this software should install the update immediately.
- Cerulean Studios Trillian UTF-8 Word Wrap Heap Overflow Vulnerability, iDefense's security advisory
- Download the current version of Trillian