Mac OS IM tool Adium lagging on library security vulnerability
libpurple is a 'binary blob of unknown provenance' says researcher
A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying
Developed by Pidgin,
libpurple is an instant messaging library, and was patched earlier this month.
According to “Erythronium23” in this post to Full Disclosure, Adium is still using the unpatched version.
If an attacker sends invalid XML entities containing white spaces, they can crash the
purple_markup_unescape_entity process and get remote code execution.
The attack string has to be sent from a malicious server, which mitigates the risk somewhat.
Erythronium's complaint is threefold:
- Adium's developers are ignoring the bug report
- There's no documentation about how to upgrade the library
libpurpleshipping with the application is “a binary blob of unknown provenance”
Adium is a Mac OS messenger, and supports connection to AIM, Google Talk, Yahoo Messenger, Jabber, ICQ and IRC.
The company has contacted The Register to say it's "getting the facts ironed out before giving an official response", and is "working on releasing an update directly." ®