Posted by
ryuzaki0
on from the oops-they-did-it-again dept.
thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
Major erratum in article
by
Eponymous+Cowboy
·
· Score: 5, Informative
Unfortunately, the article this story links to has a rather large mistake. It states:
However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.
This is completely and totally wrong.
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
Redirect response codes
Meta redirect tags
Frames
iframes
Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.
The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
-- It's hard for thee to kick against the pricks.
Re:Major erratum in article
by
Causemos
·
· Score: 5, Informative
Except it appears no one checked this fix out completely. So long as your account has privileges to that area the registry (which many do). AIM re-creates the key the next time you restart it. I've also tried breaking the key and AIM corrects this also.
Basically unless you run as a regular "User" or other restricted account in Windows, the AIM fix is only good for one session of AIM.
Victor
A reason to sit at the computer?
by
asciono
·
· Score: 5, Funny
Whatever you do, don't leave the computer. Oh, nice reason to sit more at the computer.:)
more buffer over flows
by
RLW
·
· Score: 5, Insightful
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.
{thongue in cheek mode:ON} Apparently you have no idea what Open Source Software is either {/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too. The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc...)
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
-- "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Bugfree OSS
by
brianerst
·
· Score: 5, Informative
Re:I use Gaim because it's the best in Linux
by
the_rev_matt
·
· Score: 5, Informative
I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
Slashdot Mirror
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
- Redirect response codes
- Meta redirect tags
- Frames
- iframes
- Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here.
It's hard for thee to kick against the pricks.
Whatever you do, don't leave the computer. Oh, nice reason to sit more at the computer. :)
When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.
This vulnerability only affects those rare few that actually leave their computers and do things in the "real" world.
Those rebels deserve whatever they get.
"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
Slashdot sucks
{thongue in cheek mode:ON}
Apparently you have no idea what Open Source Software is either
{/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too.
The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
We can all sleep better now.
I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
this is getting old and so are you
blog
Would't you have to be a "less knowledgeable" user to use AOL in the first place?