IRC-Junkie.org – IRC News

The KVIrc team has issued an update of their IRC client although it’s technically still at RC2.

The update is recommended for all users of the freenode IRC network that experience problems with “Excess Flood” disconnects from the network, mostly due to autojoining a large number of channels where the client automatically issues a series of commands (/WHO, gets channelmodes and lists of bans as well as ban and invite exemptions) – neither of those events have been rate-limited in the past.

Just a few minutes ago, HelLViS69 has released RC2 of the IRC-client KVIrc.

He writes that they “are proud to release the next release candidate. This release contains a huge amount of bugfixes, a cleaner and readable code, some new features including the new ISO standards for file sizes and datetimes format and a new automagical wizard to create addons.”

For now, there is only the possibility to checkout your copy from their SVN repository but he writes that “snapshots for the different OSes/arches will follow in the next days.”

In the most recent newspost on the KVIrc website developer HelLViS69 writes that certain features of the IRC-client are broken on Ubuntu Karmic Koala.

He writes that “all popups are missing, and many actions on IRC return a parser error”. After installing the supposedly broken client we’ve indeed been able to confirm this as right-clicking on nicknames in the nicklist does not produce the expected popup but fails silently.

Doing the same in the channel window results in a more noisy error:

[KVS] Runtime Error: Popup channel is not defined
[KVS]   in script context “OnChannelNickPopupRequest::default”, line 1, near character 14
Event handler OnChannelNickPopupRequest::default is broken: disabling

Not even a month ago, it was KVIrc 3.4.0 in it’s Windows release which has been vulnerable to what has been at least a DoS/crash.

As of yesterday, there have been new exploits posted on the usual sites around the internet – but this time it is not the fault of KVIrc’s URI handler, because the bug is only exploitable if the malicious link is opened with Microsoft’s Internet Explorer and is possible because of its unique way to handle double quotes (“) in links.

No, not only mIRC has bugs

For the second time, after a similar vulnerability in 2007, the irc:// URI-handler of KVIrc 3.4.0 is vulnerable to exploitation.

For successful exploitation of the security hole the user needs to be tricked to follow a maliciously crafted irc:// link – “Failed exploit attempts may cause denial-of-service conditions.” at least, or might even enable the attacker “to execute arbitrary code with the privileges of the user running the affected application.” - which we all know is Administrator for 95% of all Windows machines.