A code execution vulnerability was found in libpurple, the library used in IM clients such as Pidgin and Adium. Other IM networks, like AIM, Google Talk and Yahoo Messenger, can be connected to these clients. What is the flaw, and what can users of these IM clients do about it?
Libpurple is an open source library, developed by free chat software maker Pidgin, that provides the core functionality needed to develop an IM program. It enables developers to concentrate on developing the user interface, leaving libpurple to handle such tasks as managing accounts, preferences and network-level connectivity to access IM networks like AIM, Google Talk, Jabber and Yahoo Messenger.
Libpurple is used in various IM clients, including Pidgin and messaging software maker Adium's IM app. Adium became popular with Apple users after it was included in a Privacy Pack recommended by the Electronic Frontier Foundation in the months following the Edward Snowden leaks.
Security researcher Erythronium found an out-of-bounds write flaw in libpurple that occurs when invalid XML entities containing white spaces are sent by an attacker. This can be exploited to run arbitrary code remotely or to cause a denial-of-service condition. Although the attack string has to be sent from a malicious server, it is still a serious vulnerability.
Pidgin has patched this problem in version 2.12.0, listed as CVE-2017-2640, by only decoding HTML entities that are well formed.
However, no Adium advisory or patches have been released. Erythronium has been very critical of Adium's lack of response and its security processes, saying its build process documentation doesn't seem to include steps for upgrading or rebuilding libpurple, and the copy of libpurple checked into Adium's open source repository is a "binary blob of unknown provenance." Users of Adium should consider using an alternative IM client until Adium issues a patch and explains its policies and procedures for handling vulnerabilities in both its own codebase and in any of its dependencies.
Also of concern is the robustness of the security practices behind the development of the libpurple library. While work has been done to improve libpurple's codebase, many still feel cryptographic features are layered on top, and not built in as part of libpurple's design. Security as a plug-in rarely works, and as libpurple is written in C, it's subject to attack via the memory space that all apps share.
When choosing any software program that will be used to encrypt and protect data and communications, it's essential to assess the company or team behind a particular app to understand how mature its development processes are and the steps it takes to embed and maintain secure code, particularly when it comes to using third-party libraries.
One alterative available for both Android and iOS is Open Whisper Systems' Signal Private Messenger.
Learn about the effect team messaging apps may have on other forms of communication
Find out how to integrate and support business messaging services
Discover why the PHPMailer library flaw had to be repatched
Dig Deeper on Email and messaging threats
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading