Q
Problem solve Get help with specific problems with your technologies, process and projects.

Libpurple flaw: How does it affect connected IM clients?

The libpurple library contains a code execution vulnerability that affects the IM clients that were developed using it. Expert Michael Cobb explains how the flaw works.

A code execution vulnerability was found in libpurple, the library used in IM clients such as Pidgin and Adium....

Other IM networks, like AIM, Google Talk and Yahoo Messenger, can be connected to these clients. What is the flaw, and what can users of these IM clients do about it?

Libpurple is an open source library, developed by free chat software maker Pidgin, that provides the core functionality needed to develop an IM program. It enables developers to concentrate on developing the user interface, leaving libpurple to handle such tasks as managing accounts, preferences and network-level connectivity to access IM networks like AIM, Google Talk, Jabber and Yahoo Messenger.

Libpurple is used in various IM clients, including Pidgin and messaging software maker Adium's IM app. Adium became popular with Apple users after it was included in a Privacy Pack recommended by the Electronic Frontier Foundation in the months following the Edward Snowden leaks.

Security researcher Erythronium found an out-of-bounds write flaw in libpurple that occurs when invalid XML entities containing white spaces are sent by an attacker. This can be exploited to run arbitrary code remotely or to cause a denial-of-service condition. Although the attack string has to be sent from a malicious server, it is still a serious vulnerability.

Pidgin has patched this problem in version 2.12.0, listed as CVE-2017-2640, by only decoding HTML entities that are well formed.

However, no Adium advisory or patches have been released. Erythronium has been very critical of Adium's lack of response and its security processes, saying its build process documentation doesn't seem to include steps for upgrading or rebuilding libpurple, and the copy of libpurple checked into Adium's open source repository is a "binary blob of unknown provenance." Users of Adium should consider using an alternative IM client until Adium issues a patch and explains its policies and procedures for handling vulnerabilities in both its own codebase and in any of its dependencies.

Also of concern is the robustness of the security practices behind the development of the libpurple library. While work has been done to improve libpurple's codebase, many still feel cryptographic features are layered on top, and not built in as part of libpurple's design. Security as a plug-in rarely works, and as libpurple is written in C, it's subject to attack via the memory space that all apps share.

When choosing any software program that will be used to encrypt and protect data and communications, it's essential to assess the company or team behind a particular app to understand how mature its development processes are and the steps it takes to embed and maintain secure code, particularly when it comes to using third-party libraries.

One alterative available for both Android and iOS is Open Whisper Systems' Signal Private Messenger.

Next Steps

Learn about the effect team messaging apps may have on other forms of communication

Find out how to integrate and support business messaging services

Discover why the PHPMailer library flaw had to be repatched

This was last published in August 2017

Dig Deeper on Email and messaging threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What enterprise policies have been successful in improving the secure use of IM tools?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close