A friend just pointed me to this CNET News.com article describing a security hole in the Trillian IM client for Windows. It's a standard buffer overrun defect --- these are criminally common in software, and this one would probably be easy to fix if Trillian were written properly. But I want to comment on Matt Hines's article, which contains the following paragraph:
Cerulean co-founder and CEO Scott Werndorfer said the buffer-related vulnerability is of "extremely low risk." In an e-mail sent to CNET News.com on Friday, he said that attackers would need to construct an entire fake IM software client for the sole purpose of sending a malicious request to a Trillian user. That person would then have to actually accept that message request in order for the attacker to take advantage of the flaw, he said.
If I'd written this article, the next paragraphs would read:
However, Werndorfer is lying. Numerous open source instant messaging clients and libraries are freely available on the Internet, and any malicious programmer could simply download one of these, change or add a small amount of code --- perhaps even a single line --- and obtain a working exploit. The exploit would then circulate rapidly through the cracker underground, so that even unskilled "script kiddies" would have access to it. It is true that users would have to accept the message, but in practice a large fraction of users will accept a cleverly crafted message. Consider, for example, whether any teenager you know would reject a message from "SecretCrushOnU".
In fact, the only mitigating factor in this case is that Trillian is much less popular than the IM clients offered by AOL, Yahoo!, and Microsoft. Attackers would be able to compromise a relatively small number of targets, which somewhat reduces the motivation to exploit Trillian's defects.
So why doesn't Hines write something like the above? I suspect that he's too ignorant of the technology, and too lazy to pick up the phone and call someone who isn't. Or maybe Hines wrote the right article, and his editor trimmed it. Either way, CNET News.com should be embarrassed, particularly since they market themselves as specialists in technology news.
No comments:
Post a Comment