Gaping holes in Trillian IM client

Gaping holes in Trillian IM client

Summary: Trillian users beware:  There are multiple serious security holes in the popular cross-platform IM application.According to alerts issued by TippingPoint's Zero Day Initiative (ZDI), the vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of Trillian Pro.

SHARE:
TOPICS: Security
9

Gaping holes in TrillianTrillian users beware:  There are multiple serious security holes in the popular cross-platform IM application.

According to alerts issued by TippingPoint's Zero Day Initiative (ZDI), the vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of Trillian Pro.

Trillian users are strongly encouraged to download and apply Trillian v3.1.10.0, which fixes the underlying vulnerabilities.

Vulnerability # 1:  The specific flaw exists within XML parsing in talk.dll. When processing certain malformed attributes within an 'IMG' tags, it is possible to overwrite past an allocated heap chunk which can eventually lead to code execution under the context of the currently user. Authentication is not required to exploit this vulnerability.

Vulnerability #2: The specific flaw exists within the header parsing code for the MSN protocol. When processing the X-MMS-IM-FORMAT header, certain attributes are copied into a buffer located on the stack without any length verification which can eventually lead to code execution with the privileges of the user that is running the application. Authentication is not required to exploit this vulnerability.

Vulnerability #3: The specific flaws exists during the parsing of messages with overly long attribute values within the FONT tag. The value for any attribute is copied into a stack based buffer via sprintf() which can result in a buffer overrun and can be subsequently leveraged to execute arbitrary code under the privileges of the logged in user. Exploitation may occur over the AIM network or via direct connections. User interaction is required to exploit this vulnerability in that the target must open a malicious image file.

The patches can be found via Trillian's Help > Check for Updates feature.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Showing its age

    These sound like some rather old-style security bugs (buffer overflows!)... Hopefully their next version (Astra, IIRC) will be much tighter, or they'll keep losing share to Pidgin.
    AySz88
  • RE: Gaping holes in Trillian IM client

    I just love Trillian bugs. You know, they called Billy Rios and I geniuses one time... real nice of them! Haha, it was after we had released a stack overflow and command injection through the Trillian URL Handler... which we were told was already known as an issue by two different vulnerability brokers. Interesting that, apparently the vendor brokers knew about it, but the guys who make Trillian didn't.

    Hey, btw, when is that new release due? 10 years from now? They've been in alpha testing on Mac for a long, long time now.

    -Nate
    nmcfeters
    • If they release for Mac, will you run it?

      Just curious. You seem to longing for just such an update.

      The pro version sure is handy product for IM needs, but it's sad to hear of such gaping vulnerabilities.
      klumper
      • Adium (Trillian for Mac)

        There's already a Trillian-type app for the Mac. It's called Adium (http://www..adiumx.com) and it works like a charm. I use it all the time.

        _ryan
        Ryan Naraine
  • and you can't GET the new version!!

    Click HELP | CHECK FOR UPDATES and the instant response is .... "No software updates are available."

    Gosh... what a surprise.
    semi-adult
  • For IM programmes, you have another option!

    Download Pidgin. Run it instead.

    Problem solved.
    superbus
    • that's tooo easy (nt)

      ;)
      n0neXn0ne
  • RE: Gaping holes in Trillian IM client

    Do these vulnerabilities exist in the non pro version as well?
    Aragorn@...
  • RE: Gaping holes in Trillian IM client

    I use Trillian (version 3.1.9.0) and I had to go to the Trillian website to download the update. Opening up the program and going to Help, Update it gave me a message that updates were not available.

    They need to fix that along with showing EXACTLY what version you are running since it only says that I am running 3.1 in the help, about page. I had to go look at the version on the freakin' executable to see the exact version that I am running.
    avatar-computer.com