Vulnerability Note VU#187033

Cerulean Studios Trillian Instant Messenger fails to properly handle "UTF-8" sequences

Overview

A vulnerability in Cerulean Studios Trillian Instant Messenger client may lead to execution of arbitrary code.

I. Description

Cerulean Studios Trillian Instant Messenger client fails to properly handle specially crafted UTF-8 text. A heap overflow may occur when Trillian receives a messages with malformed UTF-8 strings.

II. Impact

A remote, authenticated attacker may be able to execute arbitrary code with the privileges of the user or cause a denial-of-service condition by sending the client a message.

III. Solution

Update

Cerulean Studios has released an update to address this issue. See the Cerulean Studios Blog for more information.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Cerulean Studios	Vulnerable	20-Jun-2007

References

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=545
http://secunia.com/advisories/25736/
http://blog.ceruleanstudios.com/?p=150

Credit

This vulnerability was reported in iDefense Public Advisory 6.18.07. iDefense credits www.BlurredLogic.com with reporting this issue.

This document was written by Chris Taschner.

Other Information

Date Public:	2007-06-18
Date First Published:	2007-06-20
Date Last Updated:	2007-06-29
CERT Advisory:
CVE-ID(s):	CVE-2007-2478
NVD-ID(s):	CVE-2007-2478
US-CERT Technical Alerts:
Metric:	6.08
Document Revision:	10

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader