Security Flaw Uncovered in Trillian

A potential security vulnerability has been discovered in Trillian, an alternative instant messaging client created by Cerulean Studios that supports AIM, ICQ, MSN and Yahoo IM networks. The flaw involves a buffer overflow that could be exploited to gain control of a Trillian user's PC.

LogicLibrary, maker of software development tools, says its BugScan application uncovered the buffer iteration overflow in Trillian's handling of HTTP 1.1 response headers. The vulnerability has existed within several of Trillian's plug-in components since version 2.0, but was mostly eliminated with the release of Trillian 3.

However, Trillian 3.1 still contains two overflow bugs in the Yahoo Messenger component, LogicLibrary says. The problem can be used to shut down Trillian or lead to arbitrary code being executed on a vulnerable computer.

"In order to build trust and confidence in the quality of today’s software, LogicLibrary believes it’s crucial that vendors work closely together to fix problems and provide the public with as much information as possible," said LogicLibrary general manger Ralph Massaro.

Cerulean Studios downplayed the significance of the flaw, saying the risk is extremely low for a real world attack. Nonetheless, the company plans to correct the buffer overflows in its next release of Trillian.