A code execution vulnerability was found in libpurple, the library used in IM clients such as Pidgin and Adium. Other IM networks, like AIM, Google Talk and Yahoo Messenger, can be connected to these clients. What is the flaw, and what can users of these IM clients do about it?
Libpurple is an open source library, developed by free chat software maker Pidgin, that provides the core functionality needed to develop an IM program. It enables developers to concentrate on developing the user interface, leaving libpurple to handle such tasks as managing accounts, preferences and network-level connectivity to access IM networks like AIM, Google Talk, Jabber and Yahoo Messenger.
Libpurple is used in various IM clients, including Pidgin and messaging software maker Adium's IM app. Adium became popular with Apple users after it was included in a Privacy Pack recommended by the Electronic Frontier Foundation in the months following the Edward Snowden leaks.
Security researcher Erythronium found an out-of-bounds write flaw in libpurple that occurs when invalid XML entities containing white spaces are sent by an attacker. This can be exploited to run arbitrary code remotely or to cause a denial-of-service condition. Although the attack string has to be sent from a malicious server, it is still a serious vulnerability.
Pidgin has patched this problem in version 2.12.0, listed as CVE-2017-2640, by only decoding HTML entities that are well formed.
However, no Adium advisory or patches have been released. Erythronium has been very critical of Adium's lack of response and its security processes, saying its build process documentation doesn't seem to include steps for upgrading or rebuilding libpurple, and the copy of libpurple checked into Adium's open source repository is a "binary blob of unknown provenance." Users of Adium should consider using an alternative IM client until Adium issues a patch and explains its policies and procedures for handling vulnerabilities in both its own codebase and in any of its dependencies.
Also of concern is the robustness of the security practices behind the development of the libpurple library. While work has been done to improve libpurple's codebase, many still feel cryptographic features are layered on top, and not built in as part of libpurple's design. Security as a plug-in rarely works, and as libpurple is written in C, it's subject to attack via the memory space that all apps share.
When choosing any software program that will be used to encrypt and protect data and communications, it's essential to assess the company or team behind a particular app to understand how mature its development processes are and the steps it takes to embed and maintain secure code, particularly when it comes to using third-party libraries.
One alterative available for both Android and iOS is Open Whisper Systems' Signal Private Messenger.
Learn about the effect team messaging apps may have on other forms of communication
Find out how to integrate and support business messaging services
Discover why the PHPMailer library flaw had to be repatched
Dig Deeper on Email and messaging threats
Related Q&A from Michael Cobb
Apple's Quick Look feature previews thumbnails that are not encrypted. Learn how this poses a security threat to enterprises from expert Michael Cobb. Continue Reading
Hackers can imitate the design and domain name of popular sites like Netflix to steal credentials. Expert Michael Cobb explains how these Netflix ... Continue Reading
Hackers use legitimate admin tools to exfiltrate data in living off the land attacks that are hard to detect. Learn about this cyberattack tactic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.