IRC-Junkie.org – IRC News

No, not only mIRC has bugs

For the second time, after a similar vulnerability in 2007, the irc:// URI-handler of KVIrc 3.4.0 is vulnerable to exploitation.

For successful exploitation of the security hole the user needs to be tricked to follow a maliciously crafted irc:// link – “Failed exploit attempts may cause denial-of-service conditions.” at least, or might even enable the attacker “to execute arbitrary code with the privileges of the user running the affected application.” - which we all know is Administrator for 95% of all Windows machines.

However, this post on the KVIrc mailing list claims the bug is invalid and KVIrc 3.4.x is not affected but after a short test i can at least confirm that there indeed is an issue that causes a DoS because KVIrc crashes after opening the malformed link.

The usual suggestion to upgrade to the latest version to be not prone to that vulnerability is superfluous at least for the Windows-version of KVIrc, as 3.4.0 is the latest “stable” release that can be obtained from the website.

Update 11/7/08: There is now an update to version 3.4.2 available for download.

Related posts:

1. KVIrc 3.4.2 URI handler in combination with IE exploitable [Updated] Not even a month ago, it was KVIrc 3.4.0 in...
2. KVIrc 3.4.0 Released “After a long time with development snapshots only (due to...
3. mIRC Local DCC Issue: Exploit, Vulnerability or Neither? mIRC has seen issues with DCC exploits in the past....
4. Quassel IRC CTCP Command Injection Vulnerability Another day, another IRC client vulnerability… Researchers have found a...
5. KVIrc Ubuntu Karmic build is broken In the most recent newspost on the KVIrc website developer...

Tags: Hack, IRC, KVIrc, Software

This entry was posted on Friday, October 31st, 2008 at 3:34 pm and is filed under Clients, Hack, IRC, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.