SC Media’s article “Vulnerability in mIRC enables hackers to execute remote code,” discusses a recently discovered flaw in an internet relay chat client that could enable hackers to run code to download further malware. The flaw has been found to exist within mIRC; an application used to connect IRC servers to allow users to chat with one another.
The vulnerability, found by Benjamin Chetioui and Baptiste Devigne from ProofOfCalc, allows hackers to inject commands into these custom URI schemes, affecting mIRC versions older than 7.55. They discovered that for the exploit to work, a hacker sends a victim a link to a web page that has an iframe that opens the custom irc: URL. Once opened, the iframe will launch the mIRC application using the remote configuration file and execute the remote script’s commands.
SureCloud’s Cybersecurity Practice Director, Luke Potter, responds to the article and advises on whether you should continue to use mIRC, and how best organizations can protect themselves against these type of attacks:
If you are using mIRC, then upgrade to v7.55 ASAP. A patch for this RCE was released on 8th February 2019 (https://www.mirc.com/whatsnew.txt).
There is limited mitigation available; the absolute best approach is to patch immediately.
Patch immediately and review the use of mIRC in your organization. It’s not an application we commonly see being used in a corporate context and environment.