Serious Security Bug - All Users Should Update
Today (1/27/06) we were alerted by the people at RainbowCrack-Online that they had discovered a buffer overflow risk in the mircryption dll, which could be demonstrated by a program called ircfuzz by Ilja van Sprundel. Ircfuzz generates and floods a mirc client with huge amounts of random data, and it turns out that mircryption does not sufficiently protect itself from the possibility of abnormally long channel names or nick names(>255 characters).
While it is not possible for a normal user to trigger such an attack, it is still possible that a malicious server owner could send commands that could crash your irc client while running mircryption, or possibly exploit the buffer overflow in order to execute malicious code.
While we know of no existing exploit of this bug in the wild, this should be considerd a SERIOUS risk, and all mircryption users should update immediately.
Both the mircryption.mrc script and mircryption.dll files as of version 1.15.00 have been redundantly fixed to protect against flaw.
You can update using the online updater, or by installing the new version over your old version, or by manually downloading and replaceing the new mircryption.dll and mircryption.mrc files on the download page.
Thank you to rainbow-crack-online for alerting us to this bug.This is the first time in 4+ years that we've had reason to release a security update for mircryption
News page and update:http://www.donationc...ircryption/index.php