Two vulnerabilities in Trillian

Started by Frands, July 17, 2007, 07:45:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Frands

July 17, 2007, 07:45:35 PM
Hi  :)

QuoteTwo highly critical vulnerabilities have been discovered in Trillian, which can be exploited by malicious people to compromise a user's system.

http://secunia.com/advisories/26086/
http://www.kb.cert.org/vuls/id/786920
Our greatest glory is not in never falling but in rising every time we fall.
- Confucius
-----
Trend Micro Internet Security


Home Forums:
https://www.landzdown.com/
http://securitygarden.blogspot.dk/
https://www.classicrockforums.com/

Corrine

#1
July 17, 2007, 08:19:05 PM
Thanks, Stealthzone. 

From the Secunia link, it doesn't appear that the vulnerabilities are related to IRC or use with MSN or Y!, but limited to AIM:

Quote1) The aim:// URI handler does not verify certain parts of the "aim://" URI before writing it into a file specified via the unverified "ini=" parameter. This can be exploited to e.g. write a batch file into the Windows "Startup" folder that starts an attacker-defined application by tricking a user into following a specially crafted "aim://" URI.

2) A boundary error within the processing of "aim://" URIs exists in the aim.dll plugin. This can be exploited to cause a buffer overflow by e.g. tricking a user into following a specially crafted "aim://" URI.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Ripley

#2
July 18, 2007, 09:36:48 PM
From the Trillian support forums posted today:

QuoteThe developers know about it and are working to address it.

In the past we have been notified about issues and were able to fix them before they went public. The developers take things like this very seriously so if the people who reported the "vulnerability" had let us know before posting it there would already be a patch available. As it is they skipped notifying Cerulean Studios and just posted it so the developers only found out about it yesterday.
http://forums.ceruleanstudios.com/showpost.php?p=706403&postcount=13

Ripley

#3
July 26, 2007, 11:14:26 PM
Trillian 3.1.7.0.

QuoteIn response to the URI security vulnerability released this week, we have updated Trillian 3 to 3.1.7.0. Auto-update should be firing for existing users, and you can use our download page to grab a full installer if you are so inclined. We recommend that all existing Trillian 3.x customers download this latest upgrade.
This entry was posted on Friday, July 20th
Print
Go Up Pages1
User actions