Trillian chat client gets critical update

Stephen Withers
Wednesday, 20 June 2007 02:39

Your IT - Home IT

The Trillian multi-protocol chat client has been updated to eliminate a vulnerability that could result in the execution of arbitrary code.

Rated as "critical" by FrSIRT (the French Security Incident Response Team) and "highly critical" by Secunia, the flaw has been fixed in Trillian 3.1.6.0, released this week.

The problem stems from the incorrect use of the window width as the buffer size when wrapping UTF-8 strings, according to iDefense. A maliciously constructed message can cause heap corruption, resulting in the execution of code contained within that message.

Although iDefense confirmed the vulnerability only in version 3.1.5.1, earlier releases may share the same problem.

The new version can be downloaded via developer Cerulean Studios' web site. Existing Trillian users will be prompted to update when they next use the program.

Trillian supports the AIM, ICQ, MSN, Yahoo Messenger, and IRC chat protocols, allowing Windows users to connect to multiple networks (and even establish multiple sessions on one network) from a single client. The $US25 Pro version adds video chat and support for Jabber (as used by Google Talk), GroupWise Messenger, and Rendezvous (for iChat AV compatibility), plus other features.