Users of the popular Trillian instant messaging client need to update their software following the discovery of a serious security bug.

The multi-protocol chat application from Cerulean Studios is subject to a heap overflow vulnerability because of programming errors involving the word-wrapping of UTF-8 text.

As a result, hackers might be able to crash versions of the application, thereby loading exploit code onto vulnerable systems. Viewing a malicious message containing a specially malformed UTF-8 string would be enough to trigger the attack.

"The MSN protocol is a known attack vector for this vulnerability. However, exploitation could potentially occur using any supported protocol," an advisory by iDefense warns.

Users are advised to update to a patched version of Trillian - version 3.1.6.0 - in order to guard against attack, as explained in an posting on Cerulean Studios' Trillian blog here. ®

Related stories

• Trillian blighted by security bug trio (23 May 2008)
• Yahoo! battered by second ActiveX vulnerability (3 September 2007)
• Yahoo! patch squashes messenger bug (8 June 2007)
• Skype worm leaps onto MSN (24 May 2007)
• Skype IM malware smut surfaces (16 April 2007)
• Microsoft and Yahoo! 'to merge IM chat' (12 October 2005)
• AOL blocks Trillian IM access (31 January 2002)