Pidgin IM Vulnerable to Malware Attacks
Internet security firm 'CORESecurity' recently discovered and notified Instant Messaging developing company 'Pidgin' that a security flaw resided in the base core library of Pidgin, which (if exploited) could allow attackers to run malicious code on a user's PC. However, the company has successfully fixed the flaw via its most recent versions of the Pidgin IM program.
A team of experts at CORESecurity discovered that if particularly crafted MSNSLP messages were sent to a client of Pidgin via an MSN server, the result could be the collapse of a remote PC. This happens because a series of messages starts off a 'memcpy' task within the memory of the system that leads to an invalid memory allocation, resulting in the system crash.
The security flaw works without any user participation, or without requiring the attacker to be listed in the victim's contacts.
Besides, the team stated that the base core library within Libpurple, the Pidgin client, was vulnerable. The same type of library strengthens a number of other IM clients such as Instantbird, Apollo, Palm, Telepathy-Haze, Meebo and EQO.
The base core library affects Pidgin versions until 2.5.9, Gaim 0.79 or higher, Adium 1.5.8 or older and Finch. CORESecurity, however, made the security issue public only after Pidgin released version 2.5.9.
Meanwhile, Pidgin issued two more updated versions, 2.6.0 and 2.6.1, that mended the Libpurple flaw even better. The most recent downloads for Windows binaries available on Pidgin's website, continues to be those from the 2.5.8 version on which CORESecurity experimented and discovered the hack.
Thus, to stay protected, the security specialists suggested Pidgin users to install an updated version.
Appreciating CORESecurity's gesture, John Bailey, Representative of Pidgin's Team, stated that CORESecurity were responsible and kind enough to make Pidgin aware of the security problem privately and provided a proof-of-concept that helped to fix the vulnerability, prior to making the incident public, as reported by Softpedia on August 19, 2009.
Additionally, the team said that while alternative client users might act to alienate from the key attacks, still they should install a patch.
Related article: Pidgin 2.10.0 Arrives With Security Flaws Patched
» SPAMfighter News - 05-09-2009