Knowing that mIRC prior to 6.03 has a number of published axploit advisories would you consider telling all your chatters to upgrade? Would you go further and block access to 5x if after some time, if they refused to upgrade?

a) Yes
b) No
c) they don't read messages any way
d) who cares
e) no 6.03 breaks my script
e) what's mirc? what's an exploit?

My answer: we are and we will

Which exploits would you be referring to exactly? The buffer overflow bug which affected pre-6.x versions of mIRC relies on the IRC server being the culprit, unless you're saying your server is trying to use this exploit then by making people change to another server you are, if anything, increasing the chance of that exploit being used. The $asctime overflow bug affecting 6.0-6.02 is IMO largely exaggerated, it relies on the script using $asctime on text from outside sources without any checking whatsoever. I'd have to go with b and I think everyone would have to say c also.

We are asking people to upgrade to 6.03.
And we intend not to let connections with 5.x after a certain date - we are giving every one sufficient time to update.

The 5x exploit is only too easy to implement, and taking into account people's tendency to click on URLs it doesn't take a genuious to say click on this URL to see my picture or something similar and do it under <a href="irc://this.irc.org/joedoe.jpg" target="_blank">irc://this.irc.org/joedoe.jpg</a> Most of chatters are not aware of this, so we are just letting them know.

Also it seems that most Trojans out there, which are based on mIRC user 5.7 or earlier.

I agree the $asctime is much harder to get invoked by "accident"

Letting them know is one thing, banning certain IRC clients/versions is another. Are you banning any other clients because of exploits? If you're trying to prevent potentially exploited users from joining your network then surely you should ban every version of mIRC and indeed every Windows user. After all, Internet Explorer is built-into Windows which mIRC runs on, and IE is just a great big exploit bonanza. The point I'm getting at is that everyone can potentially be infected, no system is totally safe, if you want to educate users on the exploits in clients like previous mIRC versions then that's great, but if you want to ban every user who's at risk of getting a virus or trojan then you're gonna be on a very lonely network. In fact you won't be on it, because you're at risk too.

So should websites block all users not running the newest version of IE or Netscape because older versions have exploits? If you did that, you'd be alienating at least 50% of your potential users....

In the case or IE and Windows people get regular notifications of fixes, service packs etc. If mIRC had similar inbuild function I would not bother informing the chatters, as mIRC would do it.

Perhaps this is an idea for future releases - mIRC Updater, which could fetch new versions of mIRC, server.ini and other components that mIRC may have in the future.

There are no ultimate solutions for anything these days.

b) No.

Personally, I couldn't be less interested in policing someones hard drive and their choice in software. If a user gets infected and then becomes a disruption to the network I would take issue with the individual.

Same goes with the web serveranalogy... if I'm running a web site that is available to the public at large, I'm not about to block connections unless they're spewing junk at me.

But that's just me... your network your choice.

Letting them know is one thing, banning certain IRC clients/versions is another. Are you banning any other clients because of exploits?

Good question, though mIRC is by far the most popular chat programme in this part of the IRC world. When you look at it, this is probably a good thing. When I say most popular, I mean like 99.9% of non-webchat usage.

Personally, I couldn't be less interested in policing someones hard drive and their choice in software. If a user gets infected and then becomes a disruption to the network I would take issue with the individual.

Tell that to the next 10,000 exploited users that unwillingly flood a server they don't own.

Also it seems that most Trojans out there, which are based on mIRC user 5.7 or earlier

You can hardly fault mIRC because someone took v5.7 and added it as a payload in a trojan. Ppl get trojans not by downloading v5.7 or any other version from an official mIRC site, they get them by opening every attachment sent to them by email, by downloading from strangers, by clicking on every url they see,by using backdoored scripts. Warnings about these things are largely ignored, as are telling ppl to keep windows and their virus scanners updated.

There are ppl who for various reasons want to use an older version of mIRC, and in some cases HAVE to. If they couldnt get those versions from an approved site, they would go hunting for them and who knows what they would end up with. I have one puter that just refuses to play nice consistently with any version after 5.41and since that puter is a 16bit machine, using v6.x wouldnt be possible.

Fact is, there are many reputable software programs out there with security issues, and more found every day. There are ppl who will exploit those, there are ppl who wont bother to install patches or upgrade even when they know they should.

I am not blaming mIRC. It is a very good IRC client and it is used by close to 99% of chatters on most networks. It is regrettable that it is targeted by virus writers.

However, if I can convince 1000 people a night to upgrade, that it is 1000 people that cannot be exploited using currently published advisories. It is also 1000 chatters that will get 410 improvements/bug fixes (since 5.91)

Is that a bad thing to do?

16-bit mIRC is an interesting issue. So far, I have noticed one chatter in many thousands using it, or at least one that CTCP VERSION I can see. I will talk to this person and see if he/she uses 16-bit because he/she has to or perhaps because he/she installed it by mistake long time ago.

<OT>My abacus does not connect to the Internet, I blame Bill Gates for that!</OT>

There are ppl who for various reasons want to use an older version of mIRC, and in some cases HAVE to.

There is no valid reason as to why someone needs to hang on to an old version. "My script doesn't work in the new version" is hardly a valid reason is it?

As I pointed out on my website today, even Khaled recommends that mIRC users upgrade to his new version:

We really recommend you to download and try mIRC v6.03!

That message has come up for every version since V5.4 at least.

There is no valid reason as to why someone needs to hang on to an old version.

I have a VERY dear friend who used a 16-bit version of mIRC until relatively recently. She didn't have the means at the time to purchase an upgraded computer that would run Windows95 and was stuck using what she had: Windows 3.1 on a 486. Not everyone has the means to upgrade and must make do with what they have. Please don't make such broad, unilateral statements when making your valid points. I quite agree with the sentiment, but the way it was stated, "no valid," is clearly too broad.

(By the way: my friend is now an uber-geekette-in-training and knows more about some areas of computing/mIRC than I do!!)

A 486 will run Win95 quite happily though, albeit perhaps slightly slower.

Perhaps if you paid for her Win95! and no "perhaps" to it...very slowly. I remember doing it as late as 1998.

I know how you feel, I had Win 95 till 1999, then Win 98 for two years then 2000 and XP, both of which I use today. Each time I thought the machine I was using was a speed-daemon, but is only because it was what I was used to at the time. If I compared that to the latest and greatest P120 available at the time I got my first Windows based computer (All AU$5000 of it) the 486-66 I had was an attractive option.

Anyway, please understand that my viewpoint isn't intended to be an attack on those that are unable to, for whatever reason, obtain a better system. Even I don't have the best one available and most likely never will unless I win Lotto, which is as likely as me getting mowed down by a road train whilst walking through Hyde Park.

This thread is explicitly about old versions of mIRC. No-one is blaming anyone for anything and no-one is seeking to get personal about it.

As stated in an earlier post though, there is no ultimate solution for anything these days. Maybe that applies to all of time. There is only the best possible solution which means as many people being as security conscious as they can be.

General reply:

Of course we recommend anyone upgrade to the current version, just as we recommend other ways to keep users safe from themselves and others. I wish we could convince 1000 users a nite to practice safe puter in many ways i hardly need list. I merely wanted to point out that some may have no choice re mIRC upgrading and that there are a lot more dangers out there than an old version of mIRC that users need to be made aware of. (and if only they would care about them) Removing all access to old mIRC versions wouldnt be a solution or even possible..better those who feel they have to use an old version have access to a source we know is clean. Believe me, i would be the last person to imply ppl shouldnt be security conscious about anything, mIRC included.

There are ppl who have d/l 16 bit in error, but trust me, there are some (not many, but some) who have no choice in the matter. Watchdog, i didnt construe your remarks as personal in any way, but "valid" is really user dependant, imo. In my case win95 was NOT an option for more than one reason. I wont get into those other than to say it had nothing to do with what i "was used to". Poor old puter couldnt even cope with mIRC and IE at the same time. And on a personal note, i will add that if it werent for a group of amazing, wondermous, very special angels i still wouldnt have any choice. Which is no doubt why one of my first thoughts on reading this thread hopped to 16bit users.

As for scripts not working as a reason... well, i have some Hammer scripties that i wouldnt give up for anything. Luckily on the rare occasions when they have needed tweaking for a new version, he's way ahead of me and has them fixed before i know they need it.

So what about this situation. Remember the $eval() bug that caused a nice crash? Well that obviously could be remotely exploitable by one of those "type // $+ $decode(.....) to stop spam" messages people think are great. If I recall, the fix for this bug didn't come out the same day it was discovered. It came out I believe about a month later. So if you wanted to be 100% safe from this issue, the only solution was to downgrade to a version of mIRC before $eval() was added. So there is a very valid reason to run an older version. Granted $eval() was not a very serious bug, but something worse could come out, and perhaps it will be a bug that is hard to fix and it takes several weeks for Khaled to even find the cause. Running an older version could possibly be the only line of defense until a fix is released.

Since we run CR (ConfereceRoom) we are able to stop $decode at server level as filtered word.

Please note we are not doing this a day after release of 6x but a year later. And in case of 6.03 6 months later, which is probably longest a version of mIRC has run without an upgrade. I read this as stability indicator.

/brainsession {
if {a person runs 32-bit mIRC 5.x} {
the person is exposed to published explits
the person can run 32-bit mIRC 6.x
tell the person to upgrade
}
else {
the person runs 16-bit mIRC
the person is safe from 32-bit viruses and exploits
leave the poor soul alone, dont overload his 386 by PRVMSG
}
}

Note that some people have problems only with 6.x.
Like the (in)famous "Software caused the connection abort" thing, or problems with DCC.
I know many people still using 5.91, and they're not some lames. They simply don't like 6.x (i have no idea why, though).

Most problems with DCC related to Network Address Translation on routers used by the many who have moved from dialup to ADSL and home networks using router/firewalls. Nothing to do with late versions of mIRC at all.

As for "Software caused connection abort" it is a message that appears when you get disconnected, it is not a source of any problem with mIRC. I have a mIRC robot connected to my channel for weeks at a time (between M$ security updates) and the only time I am affected by "Software caused connection abort" is when there is a legitimate disconnection caused by means other than mIRC itself.

People who constantly get cut off should check other things such as the quality of their phone lines, how healthy Windows is on their machine, the condition of thigns like network cards, wiring, driver software, disc errors, whether the modem is okay or not, etc.

Naturally if Windows is stuffed EG: not updated with current service packs, disc fragmented to the s***house, etc then of course software you install will not perform at it's peak. As a rule I reload all my machines every 6 months. It's not necessary to reload that often but contributes alot towards stability, reliability, etc.

mIRC has one disadvantage for those ready to point the finger in that it requires a continual connection to do it's job, whereas programmes like Internet Explorer and Micro$oft Outlook do not. Therefore it is not always easy to fault-find using software. Nor is it accurate.