Users of the multi-protocol Trillian instant messaging client may be at risk from a security flaw, according to security research and software development firm LogicLibrary. News of the flaw comes as a new report is released claiming that most enterprises are unprepared to manage Instant Messaging threats.

Pittsburg-based LogicLibrary said it discovered an unpatched buffer overflow condition in Trillian that puts users of the multi-protocol IM client at risk.

"The risk is that an attacker could make their computer run arbitrary code without the user's knowledge and potentially gain control over the system being attacked, putting items such as private documents, sensitive financial information and e-mails at risk," Ralph Massaro, general manager of content products for LogicLibrary, explained to

Though Trillian may potentially be vulnerable, Massaro said he is not certain that the flaw is currently being exploited "in the wild," which can be difficult to measure.

For one, an "exploitation in the wild wouldn't show up in any intrusion detection system; and groups like CERT and SANS monitor network traffic, looking for large variations to help make administrators aware of potential risks," Massaro said. "This doesn't help where the exploit is targeted at a specific user, like this one would probably be."

LogicLibrary claims that it alerted Cerulean Studios, makers of Trillian, to the issue as far back as October of 2003. Cerulean made changes in December of 2004 with its Trillian 3.0 release that addressed some, but not all of the issues. Trillian 3.1 was released in February of 2005, and, according to LogicLibrary, all of the issues that they contacted Cerulean Studios about had still not been addressed. Cerulean Studios did not respond for requests for comment by press time.

In Massaro's opinion, Trillian's lack of response to the issues raised by LogicLibrary is not necessarily "irresponsible" and it's not typical for a vendor to ignore security issues that are raised.

"Like all software developers, they are under tremendous pressure to add features and get products to market as quickly as possible," Massaro said. "Unfortunately, in that environment, security often falls to the bottom of the list. Consumers are beginning to hold vendors responsible for the security of their software, and we believe this shift will lead to higher quality software over time."

Security vendor Surf Patrol this week issued a release noting that most enterprises don't have an IM policy in place and are at risk from IM threats. SurfPatrol's survey of 7,593 customers found that 49 percent of respondents did not have an IM and P2P usage policy in place. However the survey did find that more than 90 percent did have some form of Internet access policy.

Left ungoverned, instant messaging applications are an easy vehicle for accidental or malicious disclosure of sensitive corporate data, including company financials, personnel records and customer data, said Jim Murphy, director of product marketing for SurfControl.

"IT managers need to work with HR professionals to ensure that all employees are governed by enforceable rules, so they can minimize risk to the organization and assure network resources are properly used."

SurfControl's findings are echoed by earlier research, including a 2004 report from research firm Radicati group. That report found that 76 percent of organizations have not deployed a formal IM solution.

A formal IM solution is a key part of the solution, SurfControl added.

"A licensed enterprise solution can absolutely be a key part of dealing with the issue of IM. In addition, organizations need to consider what type of solution they will put in place in order to ensure that their IM acceptable use policy is adhered to," Murphy told