Trillian & Yahoo IM platform flaws found

Remotely exploitable vulnerabilities were revealed for two widely used instant messaging platforms this week.

Researchers Billy (BK) Rios, Nate Mcfeters, and Raghav "the Pope" Dube released proof-of-concept exploit code for two zero-day flaws in the Trillian instant messaging platform.

"It’s time we showed another example of how dangerous these URI handler vulnerabilities can be," the trio said.

The first flaw is due to an input validation error in the "ini=" parameter supplied via "aim://" URIs. The vulnerability could be exploited by a remote attacker to take control of a targeted system, according to Secunia.

The second vulnerability occurs within the processing of "aim://" URIs in the aim.dll plugin. The flaw can be exploited by attackers by tricking a user into following a specially crafted "aim://" URI file, according to the Danish vulnerability clearinghouse.

Secunia ranked the flaws as "highly critical," because they can be exploited from a remote location.

FrSIRT ranked both flaws as "critical." A Trillian representative could not be reached for comment.

Rios told SCMagazine.com today that he and his colleagues have been researching URI flaws for a year and found that they are "rampant."

"We’ve basically encountered a ‘perfect storm’ when it comes to URI handlers. Most developers don’t realise that by registering a URI handler with Windows, they are significantly increasing their attack surface," he said via email. "URI handlers can allow remote access to applications on a user’s system. If an application isn’t coded properly, attackers can abuse this remote access to compromise a system."

Meanwhile, researcher Rajesh Sethumadhavan released proof-of-concept buffer overflow exploit code for a flaw in Yahoo Messenger version 8.1. The code can be used for a DoS attack when Yahoo loads a specially crafted address book entry.

Sethumadhavan said on Monday that the flaw was discovered on April 10.

An attacker can take advantage of the flaw by sending a specially crafted address and using a social engineering attack to get a victim to place the mouse over the imported address.

A Yahoo spokesperson told SCMagazine.com on Tuesday that the web giant expects to have a patch soon.

"Yahoo takes security seriously and consistently employs measures to help protect our users. Since learning of this issue, we have been actively working towards a resolution and expect to have a fix shortly."

Don Montgomery, vice president of marketing at Akonix, told SC Magazine today that vulnerabilities on IM platforms are a growing problem.

"IM gets adopted more widely at home and at work now, and the bigger the network, the bigger the problem is," he said. "[Home users] are less likely to be secure and less likely to be on a protected network. They’re probably on broadband or cable."

Sign up to our newsletters