Mac OS IM tool Adium lagging on library security vulnerability

libpurple is a 'binary blob of unknown provenance' says researcher

By Richard Chirgwin

Posted in Security, 22nd March 2017 04:02 GMT

A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying libpurple version.

Developed by Pidgin, libpurple is an instant messaging library, and was patched earlier this month.

According to “Erythronium23” in this post to Full Disclosure, Adium is still using the unpatched version.

If an attacker sends invalid XML entities containing white spaces, they can crash the purple_markup_unescape_entity process and get remote code execution.

The attack string has to be sent from a malicious server, which mitigates the risk somewhat.

Erythronium's complaint is threefold:

  1. Adium's developers are ignoring the bug report
  2. There's no documentation about how to upgrade the library
  3. The libpurple shipping with the application is “a binary blob of unknown provenance”

Adium is a Mac OS messenger, and supports connection to AIM, Google Talk, Yahoo Messenger, Jabber, ICQ and IRC.

The company has contacted The Register to say it's "getting the facts ironed out before giving an official response", and is "working on releasing an update directly." ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Cisco plugs command-injection hole in WebEx Chrome, Firefox plugins

Make sure you've updated if you're using Windows

Unsanitary Firefox gets fix for critical HTML-handling hijack flaw

Versions 56 through 58 need patching, pronto

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

Get the FTP outta here, says Firefox

Apparently someone still uses src to suck content into web pages from FTP servers

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed

Another week, another Cisco-security-kit-needs-a-patch story

Probing last week's ASA and Firepower flaws found another DDOS to deter

Mozilla wants to seduce BOFHs with button-down Firefox

Control. Control. Control

Single single-sign-on SNAFU threatens three Cisco products

Firepower, AnyConnect and ASA appliances and clients need patches

Running Cisco DNA Center? Update right now to get rid of the static admin credential

Switchzilla scrambles out patches for trio of nasty flaws