Security

Mac OS IM tool Adium lagging on library security vulnerability

libpurple is a 'binary blob of unknown provenance' says researcher

By Richard Chirgwin

3 SHARE

A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying libpurple version.

Developed by Pidgin, libpurple is an instant messaging library, and was patched earlier this month.

According to “Erythronium23” in this post to Full Disclosure, Adium is still using the unpatched version.

If an attacker sends invalid XML entities containing white spaces, they can crash the purple_markup_unescape_entity process and get remote code execution.

The attack string has to be sent from a malicious server, which mitigates the risk somewhat.

Erythronium's complaint is threefold:

  1. Adium's developers are ignoring the bug report
  2. There's no documentation about how to upgrade the library
  3. The libpurple shipping with the application is “a binary blob of unknown provenance”

Adium is a Mac OS messenger, and supports connection to AIM, Google Talk, Yahoo Messenger, Jabber, ICQ and IRC.

The company has contacted The Register to say it's "getting the facts ironed out before giving an official response", and is "working on releasing an update directly." ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Chinese web giant finds Windows zero-day, stays schtum on specifics

Quihoo 360 plays the responsible disclosure game

Cisco plugs command-injection hole in WebEx Chrome, Firefox plugins

Make sure you've updated if you're using Windows

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

'It may be possible for an attacker to intercept your router'

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

Zero-day vulnerability count up by, er, zero in 2015

Mind the app, says Secunia as bug count remains stable

Windows 0-day pops up out of nowhere Twitter

Privilege escalation exploit, for which no patch exists, dumped on GitHub

Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?

No official patch for under-attack ALPC vuln – so grab these mitigations instead

So you’ve got a zero-day – do you sell to black, grey or white markets?

Bsides SF Bug bounty sales are getting very complicated, financially and morally

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders