Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

Pidgin IM Vulnerable to Malware Attacks

Internet security firm 'CORESecurity' recently discovered and notified Instant Messaging developing company 'Pidgin' that a security flaw resided in the base core library of Pidgin, which (if exploited) could allow attackers to run malicious code on a user's PC. However, the company has successfully fixed the flaw via its most recent versions of the Pidgin IM program.

A team of experts at CORESecurity discovered that if particularly crafted MSNSLP messages were sent to a client of Pidgin via an MSN server, the result could be the collapse of a remote PC. This happens because a series of messages starts off a 'memcpy' task within the memory of the system that leads to an invalid memory allocation, resulting in the system crash.

The security flaw works without any user participation, or without requiring the attacker to be listed in the victim's contacts.

Besides, the team stated that the base core library within Libpurple, the Pidgin client, was vulnerable. The same type of library strengthens a number of other IM clients such as Instantbird, Apollo, Palm, Telepathy-Haze, Meebo and EQO.

The base core library affects Pidgin versions until 2.5.9, Gaim 0.79 or higher, Adium 1.5.8 or older and Finch. CORESecurity, however, made the security issue public only after Pidgin released version 2.5.9.

Meanwhile, Pidgin issued two more updated versions, 2.6.0 and 2.6.1, that mended the Libpurple flaw even better. The most recent downloads for Windows binaries available on Pidgin's website, continues to be those from the 2.5.8 version on which CORESecurity experimented and discovered the hack.

Thus, to stay protected, the security specialists suggested Pidgin users to install an updated version.

Appreciating CORESecurity's gesture, John Bailey, Representative of Pidgin's Team, stated that CORESecurity were responsible and kind enough to make Pidgin aware of the security problem privately and provided a proof-of-concept that helped to fix the vulnerability, prior to making the incident public, as reported by Softpedia on August 19, 2009.

Additionally, the team said that while alternative client users might act to alienate from the key attacks, still they should install a patch.

Related article: Pidgin 2.10.0 Arrives With Security Flaws Patched

» SPAMfighter News - 05-09-2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next