Posted by
ryuzaki0
on from the oops-they-did-it-again dept.
thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
Do many people put links in away messages anyway? Wouldn't people think it was strange that there is a link to something they've never heard about in an away message? I've never used AOL, so can someone tell me if you can use a text link, or is it only a URL?
Re:Major erratum in article
by
Anonymous Coward
·
· Score: 1, Interesting
Indeed. A simple proof of concept: If you use AIM, click here to see your away message set, from your web browser. (No "message=" bit set here in this example; that's just plain mean.)
And, of course, if it can be done by clicking such a link from your browser, it can be done by any of the means listed in the parent post.
Coincidental...
by
GillBates0
·
· Score: 4, Interesting
I've been assigned a task of choosing the best IM service/client for our group at work and will be recommending Gaim (correct capitalization) at a meeting today.
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too:)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
-- An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Re:GAIM? Fire too
by
slamb
·
· Score: 2, Interesting
For Mac users there is Fire which since going 1.0 is quite nice and polished.
Looks like the Mac version is not vulnerable to this specific bug, as it deals with the way Windows has pluggable protocols for URLs. (Which is not to say that I'm confident the official Mac client has no security problems. I'm not.)
Also, as long as we're mentioning IM clients for the Mac: my favorite is Adium. I'm a little biased, but it has a great UI. (See the About page for screenshots.) libgaim backend, so support for many protocols.
seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
-- The war with islam is a war on the beast
The war on terror is a war for peace
Re:more buffer over flows
by
Bedouin+X
·
· Score: 3, Interesting
I wonder if my newly acquired NX protection (just installed XP SP2) will protect me from this. I use Trillian Pro anyway but if anybody has a link, I'd like to see.
-- Dissolve... Resolve... Evolve...
Re:Major erratum in article
by
glenkim
·
· Score: 2, Interesting
you're right.. i made a page that crashes AIM. when i first ran the page though, an error message pops up that says a buffer overrun was detected. does that mean that the code wouldn't have executed anyway?
Bitlbee is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway gives you a "irc channel" with ALL your contacts, whatever they are using.
NOTE: The setup has TWO flaws:
1) You can not exchange files (no filetransfer).
2) Bitlbee does not support GPG encryption for secure commuciation (available in jabber clients like gjabber and psi).
Rule of thumb: Original IM providers clients are never the best choice.
Re:more buffer over flows
by
Proaxiom
·
· Score: 4, Interesting
I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.
It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.
I use gaim regularly, but I still haven't weened myself off the official AOL Linux AIM client because gaim still crashes every time I try to send or receive a file. Never have I seen a feature for an OSS program be so seemingly painful and difficult to implement.
--Stephen
-- Did you ever notice that *nix doesn't even cover Linux?
Re:Bugfree OSS
by
signingis
·
· Score: 2, Interesting
What was the response time for developers to release fixes for GAIM? We're going on 3 weeks now for AOL to release the fix for AIM. Not to mention that some of the vulnerabilities in GAIM were found in older versions of the program when upgrades were available.
--
I prefer a void in conversation to a vacuous one.
a more secure approach
by
feepcreature
·
· Score: 4, Interesting
I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
The more secure approach is not stripping out possibly dangerous input - it is only permitting the minimum necessary. It's not always possible, but it should be applied where possible.
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters:-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
-- Paul
"Say no to feeping creaturism"
Open Source Pimpdaddio
by
Mulletproof
·
· Score: 2, Interesting
"Yet another reason to switch to, IMHO, a better client such as gaim."
I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.
Slashdot Mirror
That error being noted, most users of AIM that I know will click on just about anything.
Nothing but the finest in meaningless drivel
Do many people put links in away messages anyway? Wouldn't people think it was strange that there is a link to something they've never heard about in an away message? I've never used AOL, so can someone tell me if you can use a text link, or is it only a URL?
Indeed. A simple proof of concept: If you use AIM, click here to see your away message set, from your web browser. (No "message=" bit set here in this example; that's just plain mean.)
And, of course, if it can be done by clicking such a link from your browser, it can be done by any of the means listed in the parent post.
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too :)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Looks like the Mac version is not vulnerable to this specific bug, as it deals with the way Windows has pluggable protocols for URLs. (Which is not to say that I'm confident the official Mac client has no security problems. I'm not.)
Also, as long as we're mentioning IM clients for the Mac: my favorite is Adium. I'm a little biased, but it has a great UI. (See the About page for screenshots.) libgaim backend, so support for many protocols.
seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
The war with islam is a war on the beast
The war on terror is a war for peace
I wonder if my newly acquired NX protection (just installed XP SP2) will protect me from this. I use Trillian Pro anyway but if anybody has a link, I'd like to see.
Dissolve... Resolve... Evolve...
http://www.say11.com/personal/byebyeaim.html
My personal preference:
screen + aterm + irssi + bitlbee
Screen is a full screen window manager, keep something running on a server and detach/attach from anywayere
aterm is a nice terminal for X11.
irssi is a CLI irc client. Since Bitlbee acts as a normal IRC server, any IRC client can be used. Even CGI::IRC, there are several sites that allow you to use MSN/ICQ/JABBER/AIM/etc from a web page.
Bitlbee is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway gives you a "irc channel" with ALL your contacts, whatever they are using.
More: BitlBee Guide - Talk to msn, icq and jabber contacts using any IRC client.
NOTE: The setup has TWO flaws:
1) You can not exchange files (no filetransfer).
2) Bitlbee does not support GPG encryption for secure commuciation (available in jabber clients like gjabber and psi).
Rule of thumb: Original IM providers clients are never the best choice.
9/11: Never forget it was a false-flag operation
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.
It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.
I use gaim regularly, but I still haven't weened myself off the official AOL Linux AIM client because gaim still crashes every time I try to send or receive a file. Never have I seen a feature for an OSS program be so seemingly painful and difficult to implement.
--Stephen
Did you ever notice that *nix doesn't even cover Linux?
What was the response time for developers to release fixes for GAIM? We're going on 3 weeks now for AOL to release the fix for AIM. Not to mention that some of the vulnerabilities in GAIM were found in older versions of the program when upgrades were available.
I prefer a void in conversation to a vacuous one.
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters :-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
Paul "Say no to feeping creaturism"
"Yet another reason to switch to, IMHO, a better client such as gaim."
I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.
You need a FREE iPod Nano