** HEADS UP ** Trillian User's

***ByTeWrangler*** · March 4th, 2005, 09:56 AM

Multiple exploits discovered in Trillian (chat client).

More at

http://www.k-otik.com/english/advisories/2005/0221

http://www.k-otik.com/exploits/20050302.trillian.py.php

Some quick information :

Remotely exploitable = YES

Rated as : Critical

till now no official patch is released.

**MoonWolf** · March 4th, 2005, 10:03 AM

/me thanks god that he got rid of trillian 3 day's ago.

***xierox*** · March 4th, 2005, 11:27 AM

This is only for Trillian 3.0 and prior users. Just update your client and apparently you're protected.

* Affected Products *
Cerulean Studios Trillian 3.0 and prior

- X

***zencoder*** · March 4th, 2005, 01:20 PM

Yes, trillian prompted for an upgrade recently...where did you get your "no official patch" information from?

***ByTeWrangler*** · March 4th, 2005, 04:44 PM

Greeting's

In the advisory the "solution" part says

"K-OTik Security is not aware of any official supplied patch for this issue."

Anyway i did go to the official site, where on the home page it does say that trillian is upgraded to 3.1 version.

However the download links still lead to old trillian 3.0 download file on download.com

Link on the web-page of the publisher : http://www.trillian.cc/downloads/

Download link leads to : http://www.download.com/Trillian/300...=dl&tag=button

I am sorry for not doing a complete re-search before i gave the head's up.

***xierox*** · March 4th, 2005, 09:08 PM

Hey, man, don't worry about it. We all screw up sometimes.

- X

**lucktsm** · March 5th, 2005, 12:10 AM

Thanks for the warning.. I was on 2.01 - getting 3.1 now. It's still the greatest chat client for Windows.

***xierox*** · March 5th, 2005, 02:13 AM

I upgraded from to 3.1 in December. It's still a very good chat client and some of the new features are very nice, but it still has some bugs and the new Preferences' interface is horrible compared to the old. They also took out a couple features I liked a lot.

- Xierox

**ric-o** · March 5th, 2005, 03:14 PM

Hmmm...it looks like v3.1 is vulnerable too. I just tested the exploit on v3.1 build 121 and it hung Trillian. I just checked their website and my build is the latest.

I tested this by having my buddy create the PNG file, send it to me via IM, and then set it as my icon in Trillian. As soon as I selected it as the icon Trillian hung. Don't know if it caused a buffer overflow allowing arbitrary code to be executed because we didn't put any in the file.

It looks like the only way you can use to attack someone is if you trick them into using the PNG file as their icon...so the risk would seem to be low....unless your too trusting. :-)

***The Grunt*** · March 5th, 2005, 04:52 PM

Trillian sucks, I'm suprised anyone still uses it. If you are looking for multi protocol IM's on Win go with miranda. Looks plain at first but look around the web and you will find TONS of pluggins and addins for it. It's only been out for around a year and there are already tons of stuff out for it.

http://www.miranda-im.org/

Thread: HEADS UP Trillian User's

Thread Tools

Display