Posted by
ryuzaki0
on from the oops-they-did-it-again dept.
thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
Major erratum in article
by
Eponymous+Cowboy
·
· Score: 5, Informative
Unfortunately, the article this story links to has a rather large mistake. It states:
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
This is completely and totally wrong.
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
Redirect response codes
Meta redirect tags
Frames
iframes
Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.
The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
-- It's hard for thee to kick against the pricks.
Re:Major erratum in article
by
Causemos
·
· Score: 5, Informative
Except it appears no one checked this fix out completely. So long as your account has privileges to that area the registry (which many do). AIM re-creates the key the next time you restart it. I've also tried breaking the key and AIM corrects this also.
Basically unless you run as a regular "User" or other restricted account in Windows, the AIM fix is only good for one session of AIM.
Victor
A reason to sit at the computer?
by
asciono
·
· Score: 5, Funny
Whatever you do, don't leave the computer. Oh, nice reason to sit more at the computer.:)
more buffer over flows
by
RLW
·
· Score: 5, Insightful
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
Re:more buffer over flows
by
Proaxiom
·
· Score: 4, Interesting
I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.
It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.
October of 2003 wasn't "just found" not to mention you have to install a plugin that doesn't come with gaim by default. We're talking default configuration on windows compared to a nonstandard configuration on some OS. Apples and oranges.
-- - gtaluvit (prnc. GOT-tuh-LUV-it)
Coincidental...
by
GillBates0
·
· Score: 4, Interesting
I've been assigned a task of choosing the best IM service/client for our group at work and will be recommending Gaim (correct capitalization) at a meeting today.
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too:)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
-- An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
-- The war with islam is a war on the beast
The war on terror is a war for peace
that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
{thongue in cheek mode:ON} Apparently you have no idea what Open Source Software is either {/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too. The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc...)
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
-- "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Bugfree OSS
by
brianerst
·
· Score: 5, Informative
Re:I use Gaim because it's the best in Linux
by
the_rev_matt
·
· Score: 5, Informative
I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
Would't you have to be a "less knowledgeable" user to use AOL in the first place?
a more secure approach
by
feepcreature
·
· Score: 4, Interesting
I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
The more secure approach is not stripping out possibly dangerous input - it is only permitting the minimum necessary. It's not always possible, but it should be applied where possible.
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters:-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
-- Paul
"Say no to feeping creaturism"
Why all the AOL bashing?
by
huchida
·
· Score: 4, Funny
I use AOL broadband and love it. Sure, I could have bought Earthlink and connected to the Internet... But with with AOL I can connect to both the Internet AND the World Wide Web!
Slashdot Mirror
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
- Redirect response codes
- Meta redirect tags
- Frames
- iframes
- Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
It's hard for thee to kick against the pricks.
Whatever you do, don't leave the computer. Oh, nice reason to sit more at the computer. :)
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
This vulnerability only affects those rare few that actually leave their computers and do things in the "real" world.
Those rebels deserve whatever they get.
Fortunately, most of AOL users are known to be savvy enough to find some work-around until patches are available.
October of 2003 wasn't "just found" not to mention you have to install a plugin that doesn't come with gaim by default. We're talking default configuration on windows compared to a nonstandard configuration on some OS. Apples and oranges.
- gtaluvit (prnc. GOT-tuh-LUV-it)
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too :)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
Slashdot sucks
seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.
The war with islam is a war on the beast
The war on terror is a war for peace
{thongue in cheek mode:ON}
Apparently you have no idea what Open Source Software is either
{/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too.
The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
We can all sleep better now.
I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
this is getting old and so are you
blog
Would't you have to be a "less knowledgeable" user to use AOL in the first place?
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters :-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
Paul "Say no to feeping creaturism"
I use AOL broadband and love it. Sure, I could have bought Earthlink and connected to the Internet... But with with AOL I can connect to both the Internet AND the World Wide Web!