Posted by
ryuzaki0
on from the oops-they-did-it-again dept.
thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
more buffer over flows
by
RLW
·
· Score: 5, Insightful
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
Re:more buffer over flows
by
maximilln
·
· Score: 2, Insightful
When are we going to learn to incorporate bounds checking in to everything ?
I always validated my input, even when learning to program BASIC out of the C=64 User's Guide and the advanced Programmer's Reference Guide in my early teens before taking any formal classes in it. I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
-- +++ATHZ
99:5:80
Re:more buffer over flows
by
bs_testability
·
· Score: 3, Insightful
I'm not having any more luck getting developers to incorporate self test, bounds checking,
and testability access points than I am trying to get my kids to eat vegetables.
Even tying bonuses to it motivates few.
Re:more buffer over flows
by
pjt33
·
· Score: 3, Insightful
When everyone uses Java or OCAML rather than C(++).
Jabber & Google
by
MarcoPon
·
· Score: 3, Insightful
I just hope that Google launch a Jabber based IM system; it will be a major boost to the adoption of Jabber's servers as an open standard.
It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.
I use Gaim because it's the best in Linux
by
xutopia
·
· Score: 2, Insightful
But I wouldn't tells Windows users to jump right away to Gaim. It is still in beta and has a slew of bugs. Telling Windows users who have no idea what Open Source Software is that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
Re:I use Gaim because it's the best in Linux
by
LiMikeTnux
·
· Score: 1, Insightful
"Gaim is only in version 0.81"
IE is only in version 6.0, firefox is in 0.9.3, which has less holes and is actually fixed within a few days?
just goes to show release numbers dont mean much in terms of readyness
-- yap
Re:Major erratum in article
by
shird
·
· Score: 3, Insightful
And, ahem, how do you get to that launch page in the first place? magic?
Its not as if anyone can just post a meta-refresh onto the front page of google. A page/server would have to host that javascript/iframe/redirect/etc and you would have to convince someone to visit that in the first place.
Sure, you can use social engineering to get people to visit mysite.com/hack.htm or whatever, but thats exactly what the article is saying - you need to manually visit a malicious page in the first place.
October of 2003 wasn't "just found" not to mention you have to install a plugin that doesn't come with gaim by default. We're talking default configuration on windows compared to a nonstandard configuration on some OS. Apples and oranges.
-- - gtaluvit (prnc. GOT-tuh-LUV-it)
Re:Needs user assistance
by
Ieshan
·
· Score: 2, Insightful
The real solution is to teach people not to accept ActiveX Downloads and other such things without reading the screen.
I'm not really sure what the problem is. Reading the computer screen is not a difficult or scary task. Understanding words like "install" and "security hazard" and "caution" are not that difficult.
I know it would be terrible UI design, but IE should really scramble the buttons at the bottom of ActiveX Dialogue boxes to keep people from instinctively clicking without reading. There are one or two ActiveX Components on the ENTIRE (effing) INTERNET that need to be installed.
Teaching people basic computer security along with their basic computer skills is a useful and worthwhile thing.
Re:Major erratum in article
by
Ieshan
·
· Score: 3, Insightful
Right, because no one who uses AOL Instant Messenger ever visits websites without trying.
Seriously, a combo exploit that affected webservers and AIM would net not only thousands of servers but thousands upon thousands of PCs. Individual PCs with no services are difficult to infect by worm with even the most minimal security settings, this would tank thousands of PCs because people are so naive when it comes to the 'net. AIM has always been "safe", they don't want to listen to how it might be "dangerous".
Of course, AOL can push out an update to the client tomorrow, and as long as the next version has more flashing lights, people will download it right away.
that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
{thongue in cheek mode:ON} Apparently you have no idea what Open Source Software is either {/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too. The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc...)
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
-- "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I'd switch to gaim..
by
Anonymous Coward
·
· Score: 2, Insightful
but the UI is pretty lousy
Gaim not a full-featured alternative
by
mccalli
·
· Score: 3, Insightful
The smug "switch to Gaim" comment rather let the side down there, I think. Gaim is not a full-featured replacement. The particular deficiency I'm referring to is common to many alternative IM clients - yes, they all handle chat but very few go the whole hog and support video chats. Alternative MSN client supporting video? Not that I can find, though I'd be happy to be proved wrong here.
A quick search reveals a fork of the Gaim project here, which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.
The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.
Cheers,
Ian
Re:Major erratum in article
by
moonbender
·
· Score: 2, Insightful
The dangerous bit isn't with the AIM side of this exploit. The dangerous bit is with the browser side.
Not really. A browser seeing an internet protocol it doesn't know how to use basically has two choices: ignore it or let somebody else worry about it. Ignoring it is not a Good Thing, since there clearly are cases where externel URLs are useful (mail:, news:, ed2k:, irc:, and so on). And considering there already is a database of protocols and installed programs that handle them in the Windows registry it makes a lot of sense to use it and let the program associated with the protocol deal with it.
Opera apparently has gone a middle route for some time now, since it allows you to specify trusted external protocols and associated applications. Protocols not on that list are ignored (I assume). This works very well, but of course it's really quite redundant, the same things already in the registry. Unfortunately there are protocols in the registry that shouldn't be, such as the shell thingie discussed some weeks ago.
No, the fault really totally lies with AIM in this case. For one thing, it should be blindingly obvious that having urls like aim:goaway?message=x are really insane, even if they worked as advertised without any bugs: it effectively allows any site you visit to set you AIM status. And potentially other things depending on what other commands the protocol knows (aim:run?)... And of course the buffer overflow is also an AIM bug.
Re:Coincidental...
by
Anonymous Coward
·
· Score: 1, Insightful
Gaim also sucks in a lot of ways.
Its support for non-aol protocols is between half-way decent and crap (though some, like IRC have recently improved a lot... hence half-way decent).
Gaim (at least recently, a month or two ago... things do change quickly) still can't handle multiple prescenses in Jabber (although now that AIM has a similar thing I wouldn't be surprised if Gaim fixed that--it used to be that it would diconnect if a new presence connected).
Buddy Pounce is cool. It was the reason I started using it many moons ago. Nothing really new has been added that's been innovative, which on one hand is sad, but on the other hand indicates it has matured. Gaim-e is nice but it's also nice to have automatic key generation (granted this has the problem of MITM attacks that Gaim-e and its gpg based solution doesn't have).
Also, the Gaim code is horrible. This is most likely because of its integration with GTK but pretty much everything -- including protocol back ends -- are intrinsically tied to the front end which makes it in my mind poorly designed.
But whatever works, right?
(speaking of which--as for 'best IM service' I'd suggest Jabber, which you may have already decided on... built-in support for SSL connections, most clients support end-to-end encryption with PGP also, and you can have multiple sign-ins using different 'resources' such as different machines. I'd suggest using Psi though as it (in my opinion) is the most feature complete Jabber client. It is also cross platform. Gaim of course also supports Jabber. )
Slashdot Mirror
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.
Bye!
SeqBox
But I wouldn't tells Windows users to jump right away to Gaim. It is still in beta and has a slew of bugs. Telling Windows users who have no idea what Open Source Software is that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
And, ahem, how do you get to that launch page in the first place? magic?
Its not as if anyone can just post a meta-refresh onto the front page of google. A page/server would have to host that javascript/iframe/redirect/etc and you would have to convince someone to visit that in the first place.
Sure, you can use social engineering to get people to visit mysite.com/hack.htm or whatever, but thats exactly what the article is saying - you need to manually visit a malicious page in the first place.
I.O.U One Sig.
October of 2003 wasn't "just found" not to mention you have to install a plugin that doesn't come with gaim by default. We're talking default configuration on windows compared to a nonstandard configuration on some OS. Apples and oranges.
- gtaluvit (prnc. GOT-tuh-LUV-it)
The real solution is to teach people not to accept ActiveX Downloads and other such things without reading the screen.
I'm not really sure what the problem is. Reading the computer screen is not a difficult or scary task. Understanding words like "install" and "security hazard" and "caution" are not that difficult.
I know it would be terrible UI design, but IE should really scramble the buttons at the bottom of ActiveX Dialogue boxes to keep people from instinctively clicking without reading. There are one or two ActiveX Components on the ENTIRE (effing) INTERNET that need to be installed.
Teaching people basic computer security along with their basic computer skills is a useful and worthwhile thing.
Right, because no one who uses AOL Instant Messenger ever visits websites without trying.
Seriously, a combo exploit that affected webservers and AIM would net not only thousands of servers but thousands upon thousands of PCs. Individual PCs with no services are difficult to infect by worm with even the most minimal security settings, this would tank thousands of PCs because people are so naive when it comes to the 'net. AIM has always been "safe", they don't want to listen to how it might be "dangerous".
Of course, AOL can push out an update to the client tomorrow, and as long as the next version has more flashing lights, people will download it right away.
{thongue in cheek mode:ON}
Apparently you have no idea what Open Source Software is either
{/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too.
The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
but the UI is pretty lousy
A quick search reveals a fork of the Gaim project here, which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.
The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.
Cheers,
Ian
The dangerous bit isn't with the AIM side of this exploit. The dangerous bit is with the browser side.
Not really. A browser seeing an internet protocol it doesn't know how to use basically has two choices: ignore it or let somebody else worry about it. Ignoring it is not a Good Thing, since there clearly are cases where externel URLs are useful (mail:, news:, ed2k:, irc:, and so on).
And considering there already is a database of protocols and installed programs that handle them in the Windows registry it makes a lot of sense to use it and let the program associated with the protocol deal with it.
Opera apparently has gone a middle route for some time now, since it allows you to specify trusted external protocols and associated applications. Protocols not on that list are ignored (I assume). This works very well, but of course it's really quite redundant, the same things already in the registry. Unfortunately there are protocols in the registry that shouldn't be, such as the shell thingie discussed some weeks ago.
No, the fault really totally lies with AIM in this case. For one thing, it should be blindingly obvious that having urls like aim:goaway?message=x are really insane, even if they worked as advertised without any bugs: it effectively allows any site you visit to set you AIM status. And potentially other things depending on what other commands the protocol knows (aim:run?)... And of course the buffer overflow is also an AIM bug.
Switch back to Slashdot's D1 system.
Gaim also sucks in a lot of ways.
... hence half-way decent).
... things do change quickly) still can't handle multiple prescenses in Jabber (although now that AIM has a similar thing I wouldn't be surprised if Gaim fixed that--it used to be that it would diconnect if a new presence connected).
... built-in support for SSL connections, most clients support end-to-end encryption with PGP also, and you can have multiple sign-ins using different 'resources' such as different machines. I'd suggest using Psi though as it (in my opinion) is the most feature complete Jabber client. It is also cross platform. Gaim of course also supports Jabber. )
Its support for non-aol protocols is between half-way decent and crap (though some, like IRC have recently improved a lot
Gaim (at least recently, a month or two ago
Buddy Pounce is cool. It was the reason I started using it many moons ago. Nothing really new has been added that's been innovative, which on one hand is sad, but on the other hand indicates it has matured. Gaim-e is nice but it's also nice to have automatic key generation (granted this has the problem of MITM attacks that Gaim-e and its gpg based solution doesn't have).
Also, the Gaim code is horrible. This is most likely because of its integration with GTK but pretty much everything -- including protocol back ends -- are intrinsically tied to the front end which makes it in my mind poorly designed.
But whatever works, right?
(speaking of which--as for 'best IM service' I'd suggest Jabber, which you may have already decided on