Security

Mac OS IM tool Adium lagging on library security vulnerability

libpurple is a 'binary blob of unknown provenance' says researcher

By Richard Chirgwin

3 SHARE

A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying libpurple version.

Developed by Pidgin, libpurple is an instant messaging library, and was patched earlier this month.

According to “Erythronium23” in this post to Full Disclosure, Adium is still using the unpatched version.

If an attacker sends invalid XML entities containing white spaces, they can crash the purple_markup_unescape_entity process and get remote code execution.

The attack string has to be sent from a malicious server, which mitigates the risk somewhat.

Erythronium's complaint is threefold:

  1. Adium's developers are ignoring the bug report
  2. There's no documentation about how to upgrade the library
  3. The libpurple shipping with the application is “a binary blob of unknown provenance”

Adium is a Mac OS messenger, and supports connection to AIM, Google Talk, Yahoo Messenger, Jabber, ICQ and IRC.

The company has contacted The Register to say it's "getting the facts ironed out before giving an official response", and is "working on releasing an update directly." ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Atlassian: Look at our ginormous Jira revenues!

But about that loss...

DevOps darling Atlassian gets into the monitoring business with OpsGenie gobble

$295m will buy you a lot of IT incident management

Putting the ass in Atlassian: Helpdesk email server passwords blabbed to strangers

Exclusive Logins misdirected to wrong boxes by Jira toolkit

Cisco plugs command-injection hole in WebEx Chrome, Firefox plugins

Make sure you've updated if you're using Windows

Atlassian kills God, rebrands as a mountain, a structurally unsound 'A' or a high five

LOGOWATCH Schlepping planets about is so old, teamwork is the new religion

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Atlassian releases 'Stride', because HipChat isn't hip enough to whack Slack

New collaboration tool is 'recommended upgrade' to HipChat, beats it on price

Atlassian admins, your Struts 2 patch has landed

HipChat, Bamboo, and Crowd get fix

If at first you don't succeed, you may well be Cisco: WebEx patch needs its own patch

Updated Switchzilla has a second go at fixing videoconferencing app's 'I'm the captain, now' hole

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope