Chat-program bugs could bite millions

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-829887.html

By Robert Lemos 
Staff Writer, CNET News.com
February 5, 2002, 1:15 PM PT

An Irish security consultant published details this weekend of two
software bugs in a popular chat program--bugs that could be used to
install malicious programs on a victim's computer.

The flaws make users of mIRC--a common Windows program that lets
people chat in real time over a network of "Internet relay chat"  
servers--susceptible to attack if they connect to a compromised
server, said James Martin, the independent security consultant who
found one of the flaws.

"At the moment, (exploiting the flaw) is not that easy," Martin said,
"but the code is in the hands of a lot of people."

The flaws are the latest blow to any notion of security on chat
software and instant messaging programs.

"Certainly, IRC doesn't have a place in the enterprise, because of the
group nature of the chatting that goes on," said Richard Stiennon,
research director for business analyst Gartner. He warned that such
holes could be a path for hackers and worms to gain entry into a
company.

"This one is perfect for a worm," he said.

Last month, America Online plugged a hole in its AOL Instant Messenger
application that could have allowed online vandals to access a
victim's computer. The Internet giant also warned that a hole in its
ICQ instant messaging program could allow hackers to access a victim's
computer.

The incidents had analysts wondering whether employee use of such
programs is dangerous for businesses.

The latest problem could affect upward of 1 million people. While the
total number of mIRC users is not known, more than 1 million people
have signed up for the product's announcement list, according to the
mIRC Web site.

The latest security slip-up involves the way mIRC handles the
nicknames it receives from the server.

If a compromised server sends a name that is more than 200 characters
long to a chatter's computer, the data causes a memory problem, called
a buffer overflow, that allows code appended to the data to be
executed on that computer. Typically, such a hidden command causes a
malicious program to be downloaded and installed.

A second flaw lets attackers direct mIRC users to a compromised IRC
server by way of HTML code on a Web page or in an Outlook e-mail
rendered in the style of a Web page. Online vandals could send URLs or
e-mails to people with whom they're chatting, asking them to click a
certain link. The malicious HTML code would then automatically direct
a victim's computer to a compromised server.

The flaws only affect versions of mIRC up to, and excluding, the
latest release, version 6.0, Martin said.

Gartner's Stiennon stressed that closed instant messaging systems used
within a company are good for collaboration; it's only when employees
connect to the Internet using such clients that there is a security
problem.

"The objections for not using instant messaging in the enterprise is
exactly the same as the objections a decade ago for not using e-mail,"  
he said, noting that over a dozen companies--including Microsoft,
iPlanet, Lotus and Jabber--have created software to create private IM
networks.

Consultant Martin agrees that closed is the way to go for companies.  
The 21-year-old computer expert stressed that anything that forges a
connection between a PC and the Internet opens up security holes.  
Well-written programs, however, minimize the danger, he said.


"I personally do use mIRC," he said. "Frankly, it has the best
interface and it is low on memory usage; it's a nice client."

"After this, however, I'm starting to reconsider," Martin added.

Khaled Mardam-Bey, the creator of mIRC, could not immediately be
reached for comment on the problem. While his Web site announced the
release on Sunday of mIRC 6.0, it made no mention of the security
problems Martin claims are inherent in the older versions.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.