Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Security Flaw Uncovered in Trillian

By Nate Mook, BetaNews

March 25, 2005, 1:13 PM

A potential security vulnerability has been discovered in Trillian, an alternative instant messaging client created by Cerulean Studios that supports AIM, ICQ, MSN and Yahoo IM networks. The flaw involves a buffer overflow that could be exploited to gain control of a Trillian user's PC.

LogicLibrary, maker of software development tools, says its BugScan application uncovered the buffer iteration overflow in Trillian's handling of HTTP 1.1 response headers. The vulnerability has existed within several of Trillian's plug-in components since version 2.0, but was mostly eliminated with the release of Trillian 3.

However, Trillian 3.1 still contains two overflow bugs in the Yahoo Messenger component, LogicLibrary says. The problem can be used to shut down Trillian or lead to arbitrary code being executed on a vulnerable computer.

"In order to build trust and confidence in the quality of today’s software, LogicLibrary believes it’s crucial that vendors work closely together to fix problems and provide the public with as much information as possible," said LogicLibrary general manger Ralph Massaro.

Cerulean Studios downplayed the significance of the flaw, saying the risk is extremely low for a real world attack. Nonetheless, the company plans to correct the buffer overflows in its next release of Trillian.

Add a Comment (29 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By bourgeoisdude

posted Mar 28, 2005 - 11:43 AM

I have not used Trillian, and barely even know what it is...nevertheless I find the title of this article is misleading, and wanted to point it out. Look at the title. Now look at the first sentence in the article. Find a "potential" inconsistency here?

Score: 0

By avenger3871

posted Mar 28, 2005 - 10:36 AM

Wow... Spread the news even more than it was before.. Now more people can try to obtain access to many more people..

Besides.. I still dislike Trillian.. It's nice but is still buggy when having file transfers and other things..

Score: 0

By eunichman

posted Mar 28, 2005 - 2:34 AM

"Cerulean co-founder and CEO Scott Werndorfer said the buffer-related vulnerability is of "extremely low risk." In an e-mail sent to CNET News.com on Friday, he said that attackers would need to construct an entire fake IM software client for the sole purpose of sending a malicious request to a Trillian user. That person would then have to actually accept that message request in order for the attacker to take advantage of the flaw, he said."

endquote

like many other alleged threats, this one involves user stupidity, not program flaws. The user has to accept accept a message request. so unless you know who you are talking to dont be a lamer and talk to strangers :)

Score: 0

By eunichman

posted Mar 28, 2005 - 2:25 AM

if the flaw wasn't a major issue of windows then none of the apps would be experiencing it.

lets deflect blame here and point fingers at alllll the apps as they start becoming exploited through a windows bug, not an application bug.

the applications cannot create holes where holes don't exist. they simply are made using the flawed windows API

Score: 0

By VikingBlade

posted Mar 26, 2005 - 10:40 AM

http://news.com.com/Tril...37029.html?tag=nefd.top

Score: 0

By GoodThings2Life

posted Mar 26, 2005 - 10:17 PM

Thanks Viking for the link... provides a bit more explanation of the problem.

Score: 0

By VikingBlade

posted Mar 25, 2005 - 6:42 PM

Looks like it only affects the Yahoo Messenger component?

Score: 0

By GoodThings2Life

posted Mar 25, 2005 - 7:06 PM

That is correct... but the fact still remains that the flaw does expose the computer to complete, remote control.

I'm not criticizing Trillian or anyone else in my posts... I'm just saying that people need to realize and understand that it's not just Microsoft that has these issues.

It's important that we keep ALL software up to date, and it's even more important that we all learn how to protect ourselves and teach others to protect themselves rather than start going off on companies for their imperfection.

Score: 0

By GoodThings2Life

posted Mar 25, 2005 - 2:30 PM

For all those anti-MS people out there that claim the biggest security flaw for IE is ActiveX and its tight integration with the OS... here's evidence that such a claim is invalid.

"The flaw involves a buffer overflow that could be exploited to gain control of a Trillian user's PC." So you see, it doesn't have to be a part of the OS in order to give user control over the PC. It can be done just fine without such integration.

Score: 0

By wormeyman

posted Mar 25, 2005 - 3:58 PM

Yes however a buffer overflow in trillian does not compromise your self down to the core of the OS.

Score: 0

By Riff_Raff_50076

posted Mar 25, 2005 - 2:41 PM

But they will fix the flaw in a couple of days Not weeks or month's unlike M$ ......

Score: 0

By GoodThings2Life

edited Mar 25, 2005 - 7:07 PM

That remains to be seen. They haven't released a fix, nor have they indicated timing on release of a fix, so don't make such a statement yet.

As for the other individual's rhetoric about it not being compromised down to the OS, that's obviously not true since the article clearly states that the flaw would give them remote control of the system.

Score: 0

By DJInsomniac

posted Mar 25, 2005 - 8:14 PM

The article said it would be fixed for Trillian's next release, which would be 3.2 actually. That being said, I believe it's around another month before this version actually gets released, even into Beta form.

Score: 0

By DJInsomniac

posted Mar 25, 2005 - 3:43 PM

Stop saying M$. It just makes you seem like an 8 year old wannabe, to fit in with the "cool crowd".

Score: 0

By phaedrusone

edited Mar 25, 2005 - 4:24 PM

ha! .. so true

nothing wrong with Microsoft or $$$...

i wish id created a corporation like microsoft.. then i could feel bad for those who programmatically spew anti-Microsoft rhetoric trying to destroy what they could not create

Score: 0

By Alexq

posted Mar 26, 2005 - 9:14 AM

Yes, it is every little boy's dream to create abusing monopoly, stifle innovation and force subpar products down everyone's throats.

Score: 0

By threedd97

posted Mar 29, 2005 - 5:10 AM

They don't force anything down anyone's throat. Don't use a PC if you don't like Microsoft. That simple. Or move to Linux or a Mac. Quit whining.

Or you could go program your own OS and make all the need programs ported over to your OS. GG.

Score: 0

By DJInsomniac

posted Mar 26, 2005 - 12:17 PM

Microsoft isn't forcing their products down anyones throats. You have a choice over everything on your computer these days.

And the products are in no-way sub-par, they're top of the line actually.

Score: 0

By techie_G33k

posted Mar 27, 2005 - 12:04 AM

Ya, they don't force anything down my throat. I left IE for FireFox, OE for ThunderBird, MS Office for OpenOffice, and then think about anythign else that might be non-MS, but still pay for is mostly all free (to list a few, GIMP, NVU, FileZilla, OpenVPN, etc.)

I do not like MS, but guess they know how to make money and so far haven't seen them stop or stiffle any building for GNU and GPL lincense software :D

Score: 0

By GoodThings2Life

posted Mar 26, 2005 - 9:46 AM

No, it's not that... it's about creating products and services that people actually use and making a profit off those products and services. It's called capitalism.

Now let's stick to the topic please... this thread is about the security issues of Trillian, not about economic and business practices.

Score: 0

By Alexq

posted Mar 26, 2005 - 10:35 AM

> it's about creating products and services that
> people actually use and making a profit off those
> products and services. It's called capitalism.

And is nothing like Microsoft's abusing monopoly.

Score: 0

By Planet.Of.Wounds

posted Mar 26, 2005 - 2:37 PM

Now repeat after me: Monopoly means all the consumers have no other choice. No-other-choice.

Write it down somewhere. I dunno, a yellow post-it on top of your monitor or something.

Score: 0

By Alexq

edited Mar 26, 2005 - 6:47 PM

Monopoly is a legal term and Microsoft is a convicted monopoly both in US (DoJ vs Microsoft) and in Europe (EC vs Microsoft). Don't bother repeating, it is beyond your comprehension abilities.

Score: 0

By LinuxIsTheft

posted Mar 28, 2005 - 11:58 AM

Europe said Microsoft was a "near monopoly". Even they didn't have the chutzpah to tell the biggest lie ever told in the software business.

Repeat after me ... Microsoft was not and never was a monopoly.

Score: 0

By GoodThings2Life

posted Mar 26, 2005 - 10:16 PM

Just like returning to the topic of discussion for this article is beyond your comprehension.

Seriously, let it go already. You've made your point but no one else cares, because we are more concerned at this time with security in instant messenger clients like Trillian, Yahoo, etc.

Score: 0

By threedd97

posted Mar 29, 2005 - 5:13 AM

Actually, half the posters in this article are blaming MS or talking about MS. Get a clue. I'm tired of listening to whiny emo's complaining about Microsoft. Quit trying to be "original" and "unique". You're in fact forcing your ill-backed opinions and accusations down MY throat.

Score: 0

By Alexq

posted Mar 27, 2005 - 12:02 AM

Yes, great care for Trillian security must compel you to repeatedly attack one side of lengthy off topic discussion. Go play with other kids.

Score: 0

By Quizzical

edited Mar 27, 2005 - 12:15 AM

I think if you dont wish to discuss an issue mister 2.30 poster, dont bring it into the topic.
While any vunerability is worrying I,m glad to note that thus far this is in the realms of the "paper" hack.
I place great emphasis on the word "Potential".

Score: 0

By cPingN

posted Mar 27, 2005 - 3:44 PM

I can't believe that Betanews hasn't just created a normal Forum where this crap gets redirected too. This is just silly. Same with files. people have to rate a file to make some comments. There should be the normal rating with small coments section, and a forum discussion link for blabbing and experiences and "program x is better" junk.

Cmon guys! :)

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue