Mac OS IM tool Adium lagging on library security vulnerability

libpurple is a 'binary blob of unknown provenance' says researcher

By Richard Chirgwin

Posted in Security, 22nd March 2017 04:02 GMT

A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying libpurple version.

Developed by Pidgin, libpurple is an instant messaging library, and was patched earlier this month.

According to “Erythronium23” in this post to Full Disclosure, Adium is still using the unpatched version.

If an attacker sends invalid XML entities containing white spaces, they can crash the purple_markup_unescape_entity process and get remote code execution.

The attack string has to be sent from a malicious server, which mitigates the risk somewhat.

Erythronium's complaint is threefold:

  1. Adium's developers are ignoring the bug report
  2. There's no documentation about how to upgrade the library
  3. The libpurple shipping with the application is “a binary blob of unknown provenance”

Adium is a Mac OS messenger, and supports connection to AIM, Google Talk, Yahoo Messenger, Jabber, ICQ and IRC.

The company has contacted The Register to say it's "getting the facts ironed out before giving an official response", and is "working on releasing an update directly." ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Cisco plugs command-injection hole in WebEx Chrome, Firefox plugins

Make sure you've updated if you're using Windows

Unsanitary Firefox gets fix for critical HTML-handling hijack flaw

Versions 56 through 58 need patching, pronto

Another week, another Cisco-security-kit-needs-a-patch story

Probing last week's ASA and Firepower flaws found another DDOS to deter

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

It's 2018 and… wow, you're still using Firefox? All right then, patch these horrid bugs

OG open-source darling gets security check-up

Ugly, perfect ten-rated bug hits Cisco VPNs

Patch your Adaptive Security Appliance and Firepower Threat Defense code before they're utterly p0wned

Fella faked Cisco, Microsoft gear death – then sold replacement kit for millions, say Feds

'Phony photos', legit serial numbers land chap in court

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Cisco TelePresence control software had remote-exploitable bug

Cisco's collaborationware is a mess: that WebEx bug also hit Firefox and IE

The Quantum of Firefox: Why is this one unlike any other Firefox?

Interview 57: Mozilla's big bid for relevance