Trillian IM flaw exposed

Workers at LogicLibrary, a company that makes software development tools, including programs designed to catch bugs before applications go into production, said they have unearthed a potential flaw in the IM client made by Cerulean Studios.

According to LogicLibrary, the vulnerability could allow malicious-code writers to do anything from shutting down individual programs on computers running Trillian to gaining complete control of a machine's operating system.

The company said the flaw in Cerulean's software, which folds IM clients from multiple providers, including America Online, Microsoft and Yahoo, into one interface, revolves around an unbounded buffer problem in Trillian 3.1, the latest version of the application. However, LogicLibrary said the issue springs from a vulnerability it first found and reported to Cerulean in the Trillian 2.0 release of the IM software.

LogicLibrary said it began contacting Cerulean regarding the issue in 2003 but believes that future versions of Trillian failed to eliminate all the software's flaws. The company believes that the same code that made Trillian 2.0 vulnerable has been copied directly into Trillian 3.1.

LogicLibrary representatives noted that there have been no reported examples of exploits designed to attack the vulnerability it found.

Cerulean co-founder and CEO Scott Werndorfer said the buffer-related vulnerability is of "extremely low risk." In an e-mail sent to CNET News.com on Friday, he said that attackers would need to construct an entire fake IM software client for the sole purpose of sending a malicious request to a Trillian user. That person would then have to actually accept that message request in order for the attacker to take advantage of the flaw, he said.

Werndorfer pledged that the hole will be patched in the next release of Trillian and said that many of the buffer problems were fixed in the 3.1 version of the application. He strongly encouraged all Trillian users to "exercise extreme caution" when accepting file transfers or any other form of communication from any unknown contacts.

News of the Trillian vulnerability adds to the rapidly growing concern that hackers and virus writers are beginning to move their efforts further into the IM arena as e-mail systems have become better equipped to battle the steady flow of attacks. Since the beginning of 2005, well over a dozen threats targeting various IM applications have appeared, with some bearing a growing level of sophistication.

This week, one of the most advanced IM attacks reported to date took aim at Yahoo's IM software, presenting some of the application's users with a convincing phishing attempt. Yahoo confirmed the assault, through which criminals sent IM users a message containing a link to a fraudulent Web site. That Web site, made to look like an official Yahoo site, attempted to lure people into logging in with their Yahoo ID and password. Once armed with that information, criminals could potentially target affected individuals for identity fraud through actions such as accessing their Yahoo e-mail accounts.

According to many security industry watchers, IM threats could rapidly escalate. The attacks seem to be following the same, if not escalated, pattern of e-mail-borne viruses in their early development. According to Jimmy Kuo, a research fellow at antivirus specialist McAfee, as more flaws in IM software are discovered, hackers could quickly begin focusing more attention on the sector.

"IM is essentially where the e-mail viruses were when they were just starting. But expect to see a similar increase in number and sophistication of attacks," Kuo said. "The advantage of IM is that it remains primarily text-oriented, but at some point someone will find an exploit and we'll see more issues develop rapidly."