Posted by
ryuzaki0
on from the oops-they-did-it-again dept.
thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
Major erratum in article
by
Eponymous+Cowboy
·
· Score: 5, Informative
Unfortunately, the article this story links to has a rather large mistake. It states:
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
This is completely and totally wrong.
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
Redirect response codes
Meta redirect tags
Frames
iframes
Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.
The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
-- It's hard for thee to kick against the pricks.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Informative
And, ahem, how do you get to that launch page in the first place? magic?
No, not magic. The same way people get most spyware these days: Google.
Do pretty much any search on Google these days, and a good 50% of the results on the first page will install spyware on your PC if you're using an unpatched version of Internet Explorer. There was an article about this just the other day on Slashdot. It's impossible to know which search result links from Google install spyware and which don't.
So, now even someone with all the latest IE patches, or someone who is using Firefox and thinks they are safe, needs to worry if they have AIM installed on their system.
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Informative
Bosh, just look at the recent combination server-side/client-side worms. This is a great way to get the client-side parts installed on computers. Full automated, no clicking involved, once websites are owned:
Re:Major erratum in article
by
Causemos
·
· Score: 5, Informative
Except it appears no one checked this fix out completely. So long as your account has privileges to that area the registry (which many do). AIM re-creates the key the next time you restart it. I've also tried breaking the key and AIM corrects this also.
Basically unless you run as a regular "User" or other restricted account in Windows, the AIM fix is only good for one session of AIM.
Wasnt a exploitable bug just found in gaim ?
Or to be accurate in the "festival" plugin...
See:
http://seclists.org/lists/bugtraq/2003/Oct/0205.ht ml
-- Spelling mistakes: My is english spoken not tongue of mother.
Needs user assistance
by
LostCluster
·
· Score: 3, Informative
There is not going to be an auto-spreading worm based on this hole. From the article: "AIM users would have to click on the URL to trigger the vulnerability..."
AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.
So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.
Re:Needs user assistance
by
Anonymous Coward
·
· Score: 1, Informative
Actually, that's a mistake in the article. See this post for details. Or, if you use AIM, click here to see your away message set automatically, from your web browser. Scary, huh?
Re:Needs user assistance
by
Anonymous Coward
·
· Score: 1, Informative
the user somehow has to get fooled into visiting an unsafe site for the whole process to start.
Actually, it's not hard, and it's basically automatic.
There was an article just the other day on Slashdot about this exact topic.
Basically the idea is that a good 30-50% of the results on the first page for Google searches on almost any topic nowadays will install spyware on your PC if you have an unpatched version of IE. Now with this exploit, ANYONE running AIM needs to worry, even if they are using an entirely different browser, like Firefox.
GAIM? Fire too
by
ShatteredDream
·
· Score: 2, Informative
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Yet another reason to switch to, IMHO, a better client such as gaim.
Gaim's security doesn't look very good either. Switch if you like, but don't expect it to be any more secure.
Re:Gaim security
by
Xoder
·
· Score: 2, Informative
None of those are recent. There's one that's dated august 4, but it only refers to gaim 0.75 and earlier (and many versions of Trillian, I might add!). 0.81 is here, and dear goodness is it tasty! (AIM file sending now works [slowly, but AIM-ftp was always slow])
-- The previous sig has been removed due to/. protecting your best interests
Re:But....
by
LostCluster
·
· Score: 1, Informative
The problem isn't a link within an AIM away note, it's an abuse of a link format within a webpage that is supposed to set an away note.
A URL of the form "aim:goaway?mesage goes here" should work on most machines running AIM to set an away note. Pass too long of a string to that function, and a buffer overflow results.
One of our users posted a walkthrough of this fix this morning. Supposedly there is a new beta version of aim that has been released without this exploit... but I've not seen it yet.
Re:Bugfree OSS
by
brianerst
·
· Score: 3, Informative
Well, according to e-matters, a series of 8 different buffer overflow bugs were disclosed to gaim developers on January 4, 2004. A new gaim client (0.75) was released on January 10, but this only fixed one of the overflows and introduced four new ones.
On January 15, gaim development was emailed patches for all 11 existing bugs. A patch was added to CVS that evening, but there was no 0.76 release and no public disclosure by gaim dev (at least on their Sourceforge page - there may have been something sent to the mailing list). On January 23, e-matters let gaim dev know that they would release the bug report on January 26. On January 25, gaim dev replies that there is no timeframe for a 0.76 or bug-fix release. On January 26, e-matters publishes the bug report.
On January 28, gaim dev responds with a note saying they are far from a 0.76 release and provides a link to the FreeBSD source patch. Not much use to your average teenage Windows IMer. There may have been an executable patch, but I can't find any evidence of one.
On April 1, gaim release 0.76, the first release with the bug fixes is released. This has taken so long because:
This is no slam on gaim - the devs have lives outside of gaim and I'm glad they're providing a great OSS client. But like anything, there are pros and cons to both OSS and commercially developed software. Assuming that OSS is always more responsive, more bugfree, and better in every other way is naive. There are tradeoffs involved in libre software - most are well worth it, but there can be downsides occassionally too.
Browser does matter.
by
Chuck+Chunder
·
· Score: 2, Informative
Opera for example doesn't just action any URL type.
It will only pass on those that have been configured to be trusted.
-- Boffoonery - downloadable Comedy Benefit for Bletchley Park
Re:Coincidental...
by
accessdeniednsp
·
· Score: 3, Informative
And don't forget about the gaim-encryption plugin!
http://gaim-encryption.sf.net
Cross-platform, and uses the mozilla NSS libraries which gaim already uses too!
I'm sure you already know this, but gaim-vv is a friendly fork concentrating on the video and voice stuff, so at least they're making an attempt to catch up.
As an aside, I can think of many features where the official clients are/have been behind. When logging was big, the official clients couldn't do that! Another good example is buddy pouncing. Not to mention all the plugins...
-- You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
Re:I use Gaim because it's the best in Linux
by
the_rev_matt
·
· Score: 5, Informative
I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
Because FLOSS software has always spread by word-of-mouth. Commercial vendors have a thing called a budget and part of it will be money for advertising and other promotional gimmicks. Most FLOSS doesn't have any of that but still need to "get the word out". It's just different methods used by two different systems of software development. I'm a long-time Linux and FLOSS user/supporter so I usually know about the things they mention. But occasionally someone will mention a package or project I haven't heard of before. It's useful information.
Slashdot Mirror
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
- Redirect response codes
- Meta redirect tags
- Frames
- iframes
- Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
It's hard for thee to kick against the pricks.
Wasnt a exploitable bug just found in gaim ? Or to be accurate in the "festival" plugin... See: http://seclists.org/lists/bugtraq/2003/Oct/0205.ht ml
Spelling mistakes: My is english spoken not tongue of mother.
There is not going to be an auto-spreading worm based on this hole. From the article: "AIM users would have to click on the URL to trigger the vulnerability..."
AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.
So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Click here or a puppy gets stomped!
http://www.trillian.cc
Think Gaim but pretty!
blah, blah, blah
You don't have to be an AOL subscriber to use AIM.
Support the First Amendment. Read at -1
Miranda. Choice is good. :)
They can use Trillian, too.
-- Liberalism is a mental disorder.
Gaim's security doesn't look very good either. Switch if you like, but don't expect it to be any more secure.
The problem isn't a link within an AIM away note, it's an abuse of a link format within a webpage that is supposed to set an away note.
A URL of the form "aim:goaway?mesage goes here" should work on most machines running AIM to set an away note. Pass too long of a string to that function, and a buffer overflow results.
One of our users posted a walkthrough of this fix this morning. Supposedly there is a new beta version of aim that has been released without this exploit... but I've not seen it yet.
Walkthrough of registry fix for AIM hack
Look like a good reason to upgrade to trillian to me.
Davak
We can all sleep better now.
Opera for example doesn't just action any URL type. It will only pass on those that have been configured to be trusted.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
And don't forget about the gaim-encryption plugin!
http://gaim-encryption.sf.net
Cross-platform, and uses the mozilla NSS libraries which gaim already uses too!
I'm sure you already know this, but gaim-vv is a friendly fork concentrating on the video and voice stuff, so at least they're making an attempt to catch up.
As an aside, I can think of many features where the official clients are/have been behind. When logging was big, the official clients couldn't do that! Another good example is buddy pouncing. Not to mention all the plugins...
You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
this is getting old and so are you
blog
Because FLOSS software has always spread by word-of-mouth. Commercial vendors have a thing called a budget and part of it will be money for advertising and other promotional gimmicks. Most FLOSS doesn't have any of that but still need to "get the word out". It's just different methods used by two different systems of software development. I'm a long-time Linux and FLOSS user/supporter so I usually know about the things they mention. But occasionally someone will mention a package or project I haven't heard of before. It's useful information.