SC Media’s article “Vulnerability in mIRC enables hackers to execute remote code,” discusses a recently discovered flaw in an internet relay chat client that could enable hackers to run code to download further malware. The flaw has been found to exist within mIRC; an application used to connect IRC servers to allow users to chat with one another.
The vulnerability, found by Benjamin Chetioui and Baptiste Devigne from ProofOfCalc, allows hackers to inject commands into these custom URI schemes, affecting mIRC versions older than 7.55. They discovered that for the exploit to work, a hacker sends a victim a link to a web page that has an iframe that opens the custom irc: URL. Once opened, the iframe will launch the mIRC application using the remote configuration file and execute the remote script’s commands.
SureCloud’s Cybersecurity Practice Director, Luke Potter, responds to the article and advises on whether you should continue to use mIRC, and how best organizations can protect themselves against these type of attacks:
Should anyone use mIRC after this?
If you are using mIRC, then upgrade to v7.55 ASAP. A patch for this RCE was released on 8th February 2019 (https://www.mirc.com/whatsnew.txt).
What mitigations should be put in place?
There is limited mitigation available; the absolute best approach is to patch immediately.
What can organizations do to prevent/mitigate attacks?
Patch immediately and review the use of mIRC in your organization. It’s not an application we commonly see being used in a corporate context and environment.