Contributed by: Egle Markauskaite
Date: May 28, 2009
Attackers just won't stop their dark deeds on Internet and on the whole online world. Vulnerabilities are spreading almost every day. It sounds so gloomy, but it's true and this is clearly the negative side of the wonderful online world. This time multiple vulnerabilities have been identified in Pidgin software program versions before 2.5.6! Attackers are able to exploit these vulnerabilities with the purpose of remotely executing arbitrary code or a denial of service attack. That's how users' systems are compromised. The particular vulnerability I'm going to review in this article is named the Pidgin PurpleCircBuffer vulnerability, also known as (CVE-2009-1375).
What is this Pidgin? This question may be asked by those who don't know exactly what it is. So let me quickly describe this software program to you. Pidgin is a chat program. It allows people log into accounts on multiple chat networks at the same time. This means that users are able to chat with friends on MSN, talk to friends on Google Talk, and sit in a Yahoo chat room simultaneously.
But unfortunately, Pidgin is vulnerable to a denial of service attack. The PurpleCircBuffer implementation in Pidgin versions released before 2.5.6 do not correctly maintain the buffer. This enables remote attackers to create a denial of service attack, which involves memory corruption and application crashing through vectors that use the following protocol plug-ins:
If attackers send specially-crafted XMPP or Sametime packets, they could corrupt memory and as it was mentioned before, cause the application to crash.
The risk of a denial of service attack is a result of incorrect bounds checking by the PurpleCircBuffer structure. This specific flaw was discovered in the way the PurpleCircBuffer object is expanded. If the buffer is full when more data arrives or, in other words, more bytes are added to it, the data collected in the buffer becomes corrupted. This corrupted data could lead to false, or deceitful data being introduced to the user, or in some way crash Pidgin.
I am in no doubt that all the information you've read in this article regarding this vulnerability is scaring you... But don't worry, stay calm, Pidgin has released a patch to resolve this security issue! Users who have faced this type of vulnerability are recommended to upgrade to the latest version of Pidgin (2.5.6 or later). It is available on the Pidgin Web site. Therefore, if you are affected by the Pidgin PurpleCircBuffer vulnerability, there is nothing to wait for but to update your installations and continue enjoying free online chatting.