Trillian IM Client at Risk From Attacks

Security researchers Thursday warned users of the popular Trillian instant messaging client that the software harbors three critical vulnerabilities that could be used to hijack their Windows PCs.

Trillian's developer, Cerulean Studios, has updated the IM client to version 3.0.10.0 to patch the bugs.

The vulnerabilities were reported by 3Com Inc.'s TippingPoint , which posted advisories for each. Danish bug tracking firm Secunia, meanwhile, collectively ranked the three as "highly critical" problems, its second-highest threat rating.

The bugs include one within the header parsing code for Microsoft's MSN instant messaging protocol, said TippingPoint's alerts; another involves how Trillian's talk.dll parses XML data ; and a third is within messages sent via America Online's AIM instant messaging network.

The first two can be exploited by attackers without tricking the user into helping -- simply receiving a maliciously-crafted message triggers those bugs -- but the third requires recipients to open a malformed image file, said TippingPoint. All three could be used by hackers to remotely inject their own code onto the PC, added the security company.

Trillian is one of several IM clients that support multiple IM services, and lets users chat with contacts on AOL's, Microsoft 's and Yahoo 's networks, as well as people using ICQ or IRC.

Version 3.0.10.0 can be downloaded from the Cerulean Studios Web site. Trillian runs on Windows 98, 2000, ME, XP and Vista.