Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Gaim hit by another critical hole

Gaim hit by another critical hole

by Nikola Strahija on August 13th, 2005 A serious security flaw has hit Gaim, the popular cross-platform instant messaging client, for the second time in three months.


The vulnerability stems from a way Gaim reads the away messages of AIM or ICQ instant messaging users, according to researchers. The bug crashes the Gaim client, and could be exploited to run malicious code and take over a user's system, according to an advisory from Red Hat.

An attacker could compromise systems running Gaim by using a large number of "%n" symbols as an away message, according to researchers. Any Gaim user who passes the cursor over the attacker's user name to read the away message will find that the program shuts down. The attack also triggers a buffer overflow that could be used to execute malicious code, researchers said.

Red Hat said the bug was "critical", and issued its own patch fixing the away-message bug and two other flaws. As of Thursday morning no official patch from the Gaim project was available, according to an advisory from independent security firm Secunia.

Gaim version 1.x has had its fair share of security flaws over the past few months. Another critical security flaw was reported almost exactly three months ago, involving the way Gaim handles URLs. The software also had two critical bugs last year, in August and October. In addition Gaim has suffered from regular, less serious flaws, most allowing denial-of-service attacks. This year so far there have been six less serious security warnings - three in February, one in April, one in June and one in July.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »