Hi :)
QuoteTwo highly critical vulnerabilities have been discovered in Trillian, which can be exploited by malicious people to compromise a user's system.
http://secunia.com/advisories/26086/
http://www.kb.cert.org/vuls/id/786920
Thanks, Stealthzone.
From the Secunia link, it doesn't appear that the vulnerabilities are related to IRC or use with MSN or Y!, but limited to AIM:
Quote1) The aim:// URI handler does not verify certain parts of the "aim://" URI before writing it into a file specified via the unverified "ini=" parameter. This can be exploited to e.g. write a batch file into the Windows "Startup" folder that starts an attacker-defined application by tricking a user into following a specially crafted "aim://" URI.
2) A boundary error within the processing of "aim://" URIs exists in the aim.dll plugin. This can be exploited to cause a buffer overflow by e.g. tricking a user into following a specially crafted "aim://" URI.
From the Trillian support forums posted today:
QuoteThe developers know about it and are working to address it.
In the past we have been notified about issues and were able to fix them before they went public. The developers take things like this very seriously so if the people who reported the "vulnerability" had let us know before posting it there would already be a patch available. As it is they skipped notifying Cerulean Studios and just posted it so the developers only found out about it yesterday.
http://forums.ceruleanstudios.com/showpost.php?p=706403&postcount=13
Trillian 3.1.7.0.
QuoteIn response to the URI security vulnerability released this week, we have updated Trillian 3 to 3.1.7.0. Auto-update should be firing for existing users, and you can use our download page to grab a full installer if you are so inclined. We recommend that all existing Trillian 3.x customers download this latest upgrade.
This entry was posted on Friday, July 20th