A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying libpurple version.

Developed by Pidgin, libpurple is an instant messaging library, and was patched earlier this month.

According to “Erythronium23” in this post to Full Disclosure, Adium is still using the unpatched version.

If an attacker sends invalid XML entities containing white spaces, they can crash the purple_markup_unescape_entity process and get remote code execution.

The attack string has to be sent from a malicious server, which mitigates the risk somewhat.

Erythronium's complaint is threefold:

Adium's developers are ignoring the bug report There's no documentation about how to upgrade the library The libpurple shipping with the application is “a binary blob of unknown provenance”

Adium is a Mac OS messenger, and supports connection to AIM, Google Talk, Yahoo Messenger, Jabber, ICQ and IRC.

The company has contacted The Register to say it's "getting the facts ironed out before giving an official response", and is "working on releasing an update directly." ®