AOL Instant Messenger Remote Hole

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

How to protect yourself

[Mwongozi]

For those who didn't bother to read the article:

We recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz) to protect yourselves. A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me."

not any machine

[hyperstation]

...only windows machines. get your facts straight.

This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.

Abstract Error

[strider(+corinth+)]

The abstract for the article is in error: it reads, "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol... This flaw can enable remote users to execute code on any machine logged into the AOL IM service.". The flaw isn't in the protocol itself but in the client, and therefore doesn't actually affect "any machine logged into the AOL IM service". It sounds like AOL is going to prevent the sending of exploit packets at the server level to avoid requesting all of their Windows users to upgrade, but those of us using Linux or another OS should be fine regardless.

Bug in the implementation, not the protocol

[noc]

The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol.

The problem is in the implementation, not in the protocol. If it were in the protocol, that would make all clients at risk. As it is, only the official Windows client is vulnerable, because it implements game requests without checking for buffer overflow. I really don't understand why people still write code this way -- buffer overflows are so easy to prevent.

Somewhat (but only somewhat) offtopic: why on earth doesn't ./ at leas browse through the links they post? It's not like they don't have the manpower. If they'd even looked at the article, they'd have caught this...

Trillian

[svwolfpack]

I've recently started using trillian (www.trillian.cc) for all my IMing needs... (yes, it does connect to the AIM server, among others such as MSN messenger, yahoo, and ICQ) I'm assuming it probably doesn't have this flaw, which is obviously a nice feature. And as far as I know, it's the only really solid alternative to a) having a billion separate IM programs b) using hated AOL software.

Re:Trillian

[Daniel]

Well, there's always Everybuddy, which I used for a while. I never used the non-AIM services much though, so these days I've reverted to Gaim. It has support for ICQ and other protocols (MSN, Jabber, IRC, Zephyr, ..?), but I've never tried it myself.

Daniel

Re:Trillian

[Quarters]

Jabber is great except for four very pesky problems:

1) You have to connect to a Jabber server
2) You have to find a Jabber server that is running all of the message protocols you want/need
3) Most servers are run by regular people, and they're not always on when you want/need them.
4) Your buddy list is stored server side, so you can not easily move to another server. If your sever goes down you'll have to recreate your entire buddly list on a new server if you want access.

Trillian, on the other hand, connects to the chat providers native servers and uses XML as a translation mechanism on the client side. The chances of Yahoo's chat server, AOL's chat server, ICQ's servers, or MSN's chat servers going down is very very slim. I used to use Jabber but gave up in frustration when the server I used disappeared for over a week.

Gaim and TOC

[Saint+Nobody]

well, here's yet another reason to be using TOC (as opposed to Oscar, the newer of the two AIM protocols.) TOC is/was an open protocol, and i've had very little problem with it. admittedly, it doesn't have all the "features" that Oscar has, but if all you want is chat, and you don't care a whole lot about file transfers, et al. TOC is more than sufficient. plus, unlike Oscar, AOL doesn't seem to arbitrarily change the protocol. And it seems to be more stable, server-side. I've had countless instances of hearing the dispaired cries of "AIM is down" from throughout my dorm without having a problem. TOC goes down occasionally, but not nearly as much, from my experience.

as for clients, i recommend Gaim for Linux. You can select the TOC protocol in the Account Editor window.

<asbestos>yes, i know there's a million things that Oscar can do that TOC can't. but I don't care. TOC just works better from my experience, especially when clients have to release new versions to work around AOL changing the Oscar protocol slightly in order to screw over MS.</asbestos>

Re:Info on AIM protocol

[ichimunki]

Well, you can research the protocol all you want, but it is the client application that is the problem here. Now maybe the protocol makes security an issue when used correctly, but still it is up to the client developer to introduce the feature in a non-safe way.