Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 03, 2016, 01:48:02 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Serious Security Bug - All Users Should Update to version 1.15.00 or higher  (Read 5490 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,405
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Serious Security Bug - All Users Should Update

Today (1/27/06) we were alerted by the people at RainbowCrack-Online that they had discovered a buffer overflow risk in the mircryption dll, which could be demonstrated by a program called ircfuzz by Ilja van Sprundel. Ircfuzz generates and floods a mirc client with huge amounts of random data, and it turns out that mircryption does not sufficiently protect itself from the possibility of abnormally long channel names or nick names(>255 characters).

While it is not possible for a normal user to trigger such an attack, it is still possible that a malicious server owner could send commands that could crash your irc client while running mircryption, or possibly exploit the buffer overflow in order to execute malicious code.

While we know of no existing exploit of this bug in the wild, this should be considerd a SERIOUS risk, and all mircryption users should update immediately.

Both the mircryption.mrc script and mircryption.dll files as of version 1.15.00 have been redundantly fixed to protect against flaw.

You can update using the online updater, or by installing the new version over your old version, or by manually downloading and replaceing the new mircryption.dll and mircryption.mrc files on the download page.

Thank you to rainbow-crack-online for alerting us to this bug.

This is the first time in 4+ years that we've had reason to release a security update for mircryption :(



News page and update:
http://www.donationc...ircryption/index.php
« Last Edit: February 19, 2006, 11:15:20 AM by mouser »

gottadoit

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 45
    • View Profile
    • Donate to Member
Re: Serious Security Bug - All Users Should Update
« Reply #1 on: January 30, 2006, 06:31:12 AM »
Mouser,
  I'm not sure what is wrong but somebody I know just encountered an error when trying to run the exe install
  The error text was something like "error 0 while running command"

  The exe was from sourceforge (  http://mircryption.s...nSuite_Setup_151.exe )

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,405
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Serious Security Bug - All Users Should Update
« Reply #2 on: January 30, 2006, 06:45:23 AM »
thanks for catching this!

i always test the installs, but it's been a while since i built them and because of the way the self unpacker works and the directory i run the test install in, it was working for me but for everyone else the actual setup.exe file was missing, so when it unpacks and tries to run the installer it was failing with that unhelpful error message.

all fixed now.