Chat-program bugs could bite millions
Two software bugs in the popular mIRC program for real-time chatting could give online vandals access to millions of computers.
The flaws make users of mIRC--a common Windows program that lets people chat in real time over a network of "Internet relay chat" servers--susceptible to attack if they connect to a compromised server, said James Martin, the independent security consultant who found one of the flaws.
"At the moment, (exploiting the flaw) is not that easy," Martin said, "but the code is in the hands of a lot of people."
The flaws are the latest blow to any notion of security on chat software and instant messaging programs.
"Certainly, IRC doesn't have a place in the enterprise, because of the group nature of the chatting that goes on," said Richard Stiennon, research director for business analyst Gartner. He warned that such holes could be a path for hackers and worms to gain entry into a company.
"This one is perfect for a worm," he said.
Last month, America Online plugged a hole in its AOL Instant Messenger application that could have allowed online vandals to access a victim's computer. The Internet giant also warned that a hole in its ICQ instant messaging program could allow hackers to access a victim's computer.
The incidents had analysts wondering whether employee use of such programs is dangerous for businesses.
The latest problem could affect upward of 1 million people. While the total number of mIRC users is not known, more than 1 million people have signed up for the product's announcement list, according to the mIRC Web site.
The latest security slip-up involves the way mIRC handles the nicknames it receives from the server.
If a compromised server sends a name that is more than 200 characters long to a chatter's computer, the data causes a memory problem, called a buffer overflow, that allows code appended to the data to be executed on that computer. Typically, such a hidden command causes a malicious program to be downloaded and installed.
A second flaw lets attackers direct mIRC users to a compromised IRC server by way of HTML code on a Web page or in an Outlook e-mail rendered in the style of a Web page. Online vandals could send URLs or e-mails to people with whom they're chatting, asking them to click a certain link. The malicious HTML code would then automatically direct a victim's computer to a compromised server.
The flaws only affect versions of mIRC up to, but excluding, the latest release, version 6.0, Martin said.
Gartner's Stiennon stressed that closed instant messaging systems used within a company are good for collaboration; it's only when employees connect to the Internet using such clients that there is a security problem.
"The objections for not using instant messaging in the enterprise is exactly the same as the objections a decade ago for not using e-mail," he said, noting that over a dozen companies--including Microsoft, iPlanet, Lotus and Jabber--have created software to create private IM networks.
Consultant Martin agrees that closed is the way to go for companies. The 21-year-old computer expert stressed that anything that forges a connection between a PC and the Internet opens up security holes. Well-written programs, however, minimize the danger, he said.
"I personally do use mIRC," he said. "Frankly, it has the best interface and it is low on memory usage; it's a nice client."
"After this, however, I'm starting to reconsider," Martin added.
Khaled Mardam-Bey, the creator of mIRC, could not immediately be reached for comment on the problem. While his Web site announced the release on Sunday of mIRC 6.0, it made no mention of the security problems Martin claims are inherent in the older versions.