SoylentNews

upstart writes:

Submitted via IRC for SoyCow1984

Flaw in mIRC App Allows Attackers to Execute Commands Remotely

A vulnerability was discovered in the mIRC application that could allow attackers to execute commands, such as the downloading and installation of malware, on a vulnerable computer.

mIRC is a popular Internet Relay Chat, or IRC, application that allows users to connect to IRC servers in order to chat with other users. These chat servers are used to talk about a variety of topics and allow users to send images, links, and files to other users on the same server.

[...] A new vulnerability has been discovered by security researchers Benjamin Chetioui and Baptiste Devigne of ProofOfCalc that allows attackers to inject commands into these custom URI schemes when created by mIRC versions older than 7.55.

"mIRC has been shown to be vulnerable to argument injection through its associated URI protocol handlers that improperly escape their parameters," the researchers explain in their writeup. "Using available command-line parameters, an attacker is able to load a remote configuration file and to automatically run arbitrary code."

[...] This vulnerability can be exploited simply by having a user open a web page, it can be distributed via phishing, forum posts, or through any other location that allows user submitted content.

This vulnerability was fixed in mIRC 7.55, which was released on February 8th, 2019. As the researchers have posted a proof-of-concept exploit and as the vulnerability is trivial to exploit, users running older versions of mIRC are strongly advised to upgrade to the latest 7.55 version.

Here are the home and download pages for mIRC.

Original Submission