Several of us in our LAN use it and since I'm a "Curious George" and always manage to find an exploit or two in most messaging products, I have not found any significant security issues will Trillian. However, there is a small but potentially serious issue with the way it redirects your MSN account to hotmail. Trillian invokes shdocvw.dll Internet explorer type library and passes a string in a URL that contains your username and password in plain-text. This is especially dangerous when someone is sniffing your network segment and/or your friendly neighborhood IT Network Administrator peruses the firewall logs and discovers your MSN credentials. Also, Trillian's default configuration turns on logging for all chat client types. So if you use it, be sure to turn it off, unless you want prying eyes to find out what you really think about your boss. I chose the blue pill and uninstalled it. Mike -----Original Message----- From: rogue [mailto:rogueat_private] Sent: Wednesday, June 05, 2002 12:10 PM To: vuln-devat_private Cc: security-basicsat_private Subject: Trillian Messaging Software A bunch of users on my Win2k network are asking to install trillian messaging software on their workstations because it allows messaging across several systems (AIM, yahoo messenger, ICQ, etc) and i was wondering if anyone has been here has been using it and if there are any security issues which have surfaced before allowing this software on my network. Thanks all! -- ================== rogueat_private {\o0| ==================
This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 13:48:45 PDT