Gaim, the popular cross-platform instant messaging client, has been hit by a serious security flaw for the second time in three months.
The flaw is found in the way Gaim reads the away messages of AIM or ICQ instant messaging users, according to researchers. The bug crashes the Gaim client, and could be exploited to run malicious code and take over a user's system, according to an advisory from Red Hat.
"A remote attacker could send a specially crafted away message to a Gaim user logged into AIM or ICQ that could result in arbitrary code execution," Red Hat said.
Red Hat said the bug was "critical", and issued its own patch fixing the away-message bug and two other flaws. As of Thursday morning no official patch from the Gaim project was available, according to an advisory from independent security firm Secunia. FrSIRT, the French Security Incident Response Team, also gave the flaw a "high risk" rating and said it wasn't aware of an official patch.
An attacker could compromise systems running Gaim by using a large number of "%n" symbols as an away message, according to researchers. Any Gaim user who passes the cursor over the attacker's user name to read the away message will find the program shuts down. The attack also triggers a buffer overflow which could be used to execute malicious code, researchers said.
Gaim version 1.x has had its fair share of security flaws over the past few months. Another critical security flaw was reported almost exactly three months ago, involving the way Gaim handles URLs. The software also had two critical bugs last year, in August and October.
In addition Gaim has suffered from regular, less-serious flaws, most allowing denial-of-service attacks. This year so far there have been six less-serious security warnings - three in February, one in April, one in June and one in July.
The frequency of security flaw disclosures is probably in part due to Gaim's popularity, according to security experts. By contrast the jabberd 2.x client has only had one flaw report this year and one last year, according to Secunia. Ekg 1.x, another messaging client, has had three flaw reports overall this year, one of them serious.