Two vulnerabilities in the IM aggregating software Trillian may allow system access to a remote user, meaning that all users should upgrade as soon as possible.
Trillian - named after the female character in Hitchhiker's Guide to the Galaxy, girlfriend of Zaphod Beeblebrox and lust figure for Arthur Dent - is an extremely popular piece of instant messaging software as it communicates with all the main IM software.
So, rather than having to download or standardise on AIM, ICQ, MSN, IRC or Yahoo, people are able to download an install just one bit of software. This interoperability makes Trillian a little less instant, with slight delays in the time messages take to appear.
The vulnerability appears in all versions of the Trillian software, including the professional, paid-for version.
An integer overflow exists in how it handles the AIM protocol when allocating memory. This can be exploited by a specially crafted DirectIM packet. Also, a boundary error when parsing Yahoo packets can result in a buffer overflow. It can be exploited by sending a specially crafted YMSG packet with an overly long key name.
Successfully exploiting these holes would allow someone to run their own code on your system, with your access priviledges.
The holes were discovered by e-matters and Trillian's inventors were informed this time last week. Within two days they had patches ready for testing and they were released late yesterday. If you want to know about the holes go to e-matters site here. To download the latest version and cover up the hole, visit Cerulean Studios here.
Find your next job with techworld jobs