[ISN] Chat-program bugs could bite millions

From: InfoSec News (isnat_private)
Date: Wed Feb 06 2002 - 00:38:30 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - February 4th 2002"

    By Robert Lemos 
    Staff Writer, CNET News.com
    February 5, 2002, 1:15 PM PT
    An Irish security consultant published details this weekend of two
    software bugs in a popular chat program--bugs that could be used to
    install malicious programs on a victim's computer.
    The flaws make users of mIRC--a common Windows program that lets
    people chat in real time over a network of "Internet relay chat"  
    servers--susceptible to attack if they connect to a compromised
    server, said James Martin, the independent security consultant who
    found one of the flaws.
    "At the moment, (exploiting the flaw) is not that easy," Martin said,
    "but the code is in the hands of a lot of people."
    The flaws are the latest blow to any notion of security on chat
    software and instant messaging programs.
    "Certainly, IRC doesn't have a place in the enterprise, because of the
    group nature of the chatting that goes on," said Richard Stiennon,
    research director for business analyst Gartner. He warned that such
    holes could be a path for hackers and worms to gain entry into a
    "This one is perfect for a worm," he said.
    Last month, America Online plugged a hole in its AOL Instant Messenger
    application that could have allowed online vandals to access a
    victim's computer. The Internet giant also warned that a hole in its
    ICQ instant messaging program could allow hackers to access a victim's
    The incidents had analysts wondering whether employee use of such
    programs is dangerous for businesses.
    The latest problem could affect upward of 1 million people. While the
    total number of mIRC users is not known, more than 1 million people
    have signed up for the product's announcement list, according to the
    mIRC Web site.
    The latest security slip-up involves the way mIRC handles the
    nicknames it receives from the server.
    If a compromised server sends a name that is more than 200 characters
    long to a chatter's computer, the data causes a memory problem, called
    a buffer overflow, that allows code appended to the data to be
    executed on that computer. Typically, such a hidden command causes a
    malicious program to be downloaded and installed.
    A second flaw lets attackers direct mIRC users to a compromised IRC
    server by way of HTML code on a Web page or in an Outlook e-mail
    rendered in the style of a Web page. Online vandals could send URLs or
    e-mails to people with whom they're chatting, asking them to click a
    certain link. The malicious HTML code would then automatically direct
    a victim's computer to a compromised server.
    The flaws only affect versions of mIRC up to, and excluding, the
    latest release, version 6.0, Martin said.
    Gartner's Stiennon stressed that closed instant messaging systems used
    within a company are good for collaboration; it's only when employees
    connect to the Internet using such clients that there is a security
    "The objections for not using instant messaging in the enterprise is
    exactly the same as the objections a decade ago for not using e-mail,"  
    he said, noting that over a dozen companies--including Microsoft,
    iPlanet, Lotus and Jabber--have created software to create private IM
    Consultant Martin agrees that closed is the way to go for companies.  
    The 21-year-old computer expert stressed that anything that forges a
    connection between a PC and the Internet opens up security holes.  
    Well-written programs, however, minimize the danger, he said.
    "I personally do use mIRC," he said. "Frankly, it has the best
    interface and it is low on memory usage; it's a nice client."
    "After this, however, I'm starting to reconsider," Martin added.
    Khaled Mardam-Bey, the creator of mIRC, could not immediately be
    reached for comment on the problem. While his Web site announced the
    release on Sunday of mIRC 6.0, it made no mention of the security
    problems Martin claims are inherent in the older versions.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 04:09:25 PST