Securia reports highly critical vulnerabilities in Trillian the popular instant messaging client.
Description:
Some vulnerabilities have been reported in Trillian, which can be exploited by malicious people to compromise a user’s system.
1) A boundary error within the header parsing code for the MSN protocol can be exploited to cause a stack-based buffer overflow via a specially crafted X-MMS-IM-FORMAT header with an overly long attribute.
Successful exploitation allows execution of arbitrary code.
2) An error within the XML parsing in talk.dll can be exploited to cause a memory corruption via certain malformed attributes within an ‘IMG’ tag.
Successful exploitation allows execution of arbitrary code.
3) A boundary error when parsing messages (e.g. via the AIM network) with overly long attribute values within the FONT tag can be exploited to cause a stack-based buffer overflow.
Successful exploitation allows execution of arbitrary code but requires that the user is tricked into opening a malicious image file.
Solution:
Update to version 3.1.10.0.
http://www.ceruleanstudios.com/downloads/
Your Trillian client may not inform you of the updates. I used the drop down menu, “Check for updates” and was informed no updates were available.
After downloading and starting the installation of the latest version, I saw the Weather Channel and ASK toolbar were offered as pre-checked options to install with Trillian.
Inside those tiny EULA boxes was a full page of disclosures for each program, if you copy/paste the text into an editor you can read the EULA rather than squinting at a scroll box. Know what you are agreeing to if leaving the box checked to install.
Weather Channel:
“1. PURPOSE. The software you are installing (the “Software”) is provided by The Weather Channel Interactive, Inc. (”TWCi”) and provides you with a quick view of the current weather in a city you select, and provides other weather-related information and data on your desktop (the “Services”). This Agreement contains terms and conditions that apply to both the subscription version of the Software (”Desktop Max Software”) and Services (”Desktop Max Services”) and the advertisement-supported version of the Software (”Desktop Software”) and Services (”Desktop Services”).
14. DESKTOP MAX SERVICES. You agree that if you license Desktop Max Services, the following additional terms will apply:
A. You agree to pay TWCi the monthly or annual service charge for your use Desktop Max Services using a valid credit or debit card, plus any applicable taxes, in accordance with the billing terms and prices in effect at the time the fee or charge becomes payable. You authorize TWCi to automatically bill the charge card you provide each month or year (as applicable), or withdraw funds via electronic transfer from your checking account (depending on what type of charge card you are using), until you cancel Desktop Max Services. Payments are billed in advance at the beginning of the applicable month or year. You agree to provide TWCi with a valid credit or debit card and accurate, complete and updated information required by the subscription registration form. Failure to comply may result in the immediate termination of Desktop Max Services.
B. You agree to notify TWCi about any billing problems or discrepancies within 90 days after they first appear on your account statement. If you do not bring them to TWCi’s attention within 90 days, you agree that you waive your right to dispute such problems or discrepancies.”
ASK Toolbar:
“END USER LICENSE AGREEMENT/PRIVACY POLICY/TERMS OF SERVICES
IMPORTANT — PLEASE READ CAREFULLY - SHORT PLAIN ENGLISH SUMMARY OF END USER LICENSE
This is a legal contract between you and IAC Search & Media, Inc. You must agree to this contract and abide by its terms in order to download and use the toolbar. You must be 18 years of age in order to agree to this contract and download this product. IF YOU ARE NOT YET 18, PLEASE ASK YOUR PARENT OR GUARDIAN TO DOWNLOAD THE TOOLBAR FOR YOU.
UPON INSTALLATION OF THE TOOLBAR, THE FOLLOWING FEATURES WILL BE ADDED TO YOUR BROWSER:
SEARCH BOX is a toolbar to your Internet browser. The browser toolbar is customizable and will provide you access to Ask.com search results..
SEARCH ASSISTANT: This provides relevant links and results when your search request or browser address request is misspelled or incorrectly formatted.
In addition, an Easy Installer will be downloaded to install this software. It does not install any other software and is automatically deleted the first time you turn off your computer after installation of the above-described products.
THIS PRODUCT AND ALL THE FEATURES LISTED ABOVE ARE FREE.
NO REGISTRATION OR PERSONAL INFORMATION IS REQUIRED.”
Please read each EULA completely and if installing do so as an informed user. 
