Slashdot Mirror

← Back to Stories (view on slashdot.org)

Despite AOL's Claim, AIM Worm Hole Still Wide Open

Posted by Zonk on from the perhaps-they-should-fix-that dept.

Clown of the month writes "There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October. This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control. AOL coordinated with Core on the release of an advisory, on the understanding that the flaw was patched in the latest beta version. As security researcher Aviv Raff discovered, the underlying vulnerability was never fixed. In the demonstration, Raff simply sent an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages."

75 comments

  1. just use pidgin! by mwilliamson · · Score: 3, Interesting

    Here's a perfect example of where an open-source solution beats the pants off a commercial one.

    1. Re:just use pidgin! by Sarten-X · · Score: 4, Insightful

      Indeed. I've been using pidgin/GAIM for 3 years, and recommend it to everyone whose computer I've had to remove viruses from. There's really little reason to use AOL or MSN's client.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:just use pidgin! by centinall · · Score: 1

      I don't think that Pidgin can render HTML, or least do it yet. Although why you would really want to do this is lost to me.

    3. Re:just use pidgin! by p0tat03 · · Score: 1

      Agreed. Although the lack of offline messaging in MSN is annoying, pidgin does everything I want MSN to do, with none of the things that the official client does that I hate.

    4. Re:just use pidgin! by BosstonesOwn · · Score: 1

      So it can render the emoticons every one seems to love. Or if your like me hate with a passion.

      I think it also transports the text and such in XML which is why it uses the rendering engine.

      --
      This package Does Not Contain a Winner
    5. Re:just use pidgin! by Cal+Paterson · · Score: 4, Insightful

      Here's a perfect example of where an open-source solution beats the pants off a commercial one.
      This statement, while true, doesn't say a lot. Pidgin does have a lot of shortcomings (though it's all I use).
    6. Re:just use pidgin! by kryptkpr · · Score: 1

      My problem with Pidgin is with the rather plain way it looks. Kopete has a killer theming engine and many themes which are far more polished (imho) then Pidgin.

      --
      DJ kRYPT's Free MP3s!
    7. Re:just use pidgin! by Anonymous Coward · · Score: 0

      > So it can render the emoticons every one seems to love. Or if your like me hate with a passion.

         :)  :)  :)  :)  :)  :)
      :) BosstonesOwn (794949)  :)
         ..  ..  ..  ..  ..  ..
         \/  \/  \/  \/  \/  \/

    8. Re:just use pidgin! by fireboy1919 · · Score: 1

      I like my logging. I have a complete history of everything that anyone has ever said to me available in the log, and I can always pick up where I left off.

      Pidgin has *almost* replaced e-mail for me.

      --
      Mod me down and I will become more powerful than you can possibly imagine!
    9. Re:just use pidgin! by Anonymous Coward · · Score: 0

      Yeah, who needs direct connect to work properly. Or a file transfer to be able to make it through a NAT router.

    10. Re:just use pidgin! by Dunbal · · Score: 1

      Here's yet another perfect example of where an open-source solution beats the pants off a commercial one.

      There, fixed it for you.

      --
      Seven puppies were harmed during the making of this post.
    11. Re:just use pidgin! by QuietObserver · · Score: 1

      Personally, I use an IM to chat with friends; it works perfectly fine for that, so I don't really care what shortcomings Pidgin has. My only weakness is I haven't worked out how to get it installed on my computer (Ubuntu 64 bit), yet.

    12. Re:just use pidgin! by QuietObserver · · Score: 1

      One thing I failed to point out, though; I haven't really been trying too hard.

    13. Re:just use pidgin! by Anonymous Coward · · Score: 0
      How did this get modded +5 Insightful?

      This statement, while true, doesn't say a lot.
      Ironically, neither does yours.

      Pidgin does have a lot of shortcomings (though it's all I use).
      If it has shortcomings, please do share with the rest of us.
    14. Re:just use pidgin! by dlgeek · · Score: 1

      Gutsy: as root: apt-get install pidgin Dapper/Edgy/Feisty still have an older version from before the name changed: as root: apt-get install gaim There, you're done.

    15. Re:just use pidgin! by Anonymous Coward · · Score: 0

      Which of the open source solutions include voice and video chat?

    16. Re:just use pidgin! by Cal+Paterson · · Score: 1

      Ironically, neither does yours.
      Succinctness is not the same as not saying anything. The fact that I didn't spell everything out like a moron does not mean that I did not make any points.
  2. wormhole? by FlashBuster3000 · · Score: 4, Funny

    Let me welcome our new Dominion Overlords!

  3. People still use AOL-supplied AIM client? by necro2607 · · Score: 3, Interesting

    Err, people actually still use the AIM client supplied by AOL? Almost everyone I know is using a 3rd-party multi-protocol app like Trillian or Gaim (on Windows) or Adium or iChat on OS X. I'd be totally surprised to see someone actually running the [IMO] horrible client made by AOL.

    1. Re:People still use AOL-supplied AIM client? by Anonymous Coward · · Score: 1, Interesting

      Know any normal people ? In other words people not in IT nor techinically inclined ? Unfortunately I see this crap stil used on tons of clients PC's ranging from secretaries to the head partners in various firms -

    2. Re:People still use AOL-supplied AIM client? by Kazrath · · Score: 2, Informative

      Plenty of reasons to name one major one.

      Many major financial & trading firms use IM clients of all breeds to interact with customers/clients/associates on a daily basis. These communications need to have specific rules enforced against and all communications recorded for them to be compliant. Many of the third party IM clients do not intergrate correctly with software that performs the management/proxying of IM traffic within an enterprise environment or could allow access on protocols that are restricted.

    3. Re:People still use AOL-supplied AIM client? by dunezone · · Score: 2, Insightful

      Why not? The majority of individuals who grew up during the 90s grew up using AOL. Were accustomed to AIM and its user interface. Why do you think they still offer the old 5.9 version? And the open-source solution doesnt help them either. These people dont want change and they dont want to learn anything new. This is why people still use Windows.

    4. Re:People still use AOL-supplied AIM client? by a-zarkon! · · Score: 1

      Yeah, I'll go on record and agree with the AC - there are PLENTY of people out there who have no idea what GAIM/Trillian/etc. even are. They aren't technical; they are less likely to patch or maintain AV, they are more likely to have a boatload of spyware clogging their IE browser. The unwashed masses. They include your neighbor, your doctor, and your garbageman. They are legion.

    5. Re:People still use AOL-supplied AIM client? by Dunbal · · Score: 2, Insightful

      I cut my teeth on CompuServe and closed my accounts when they merged with AOL. AOL sucked back then, and it still sucks now. Only reason they ever became popular is because at least half the population of (insert country here) is ignorant.

      --
      Seven puppies were harmed during the making of this post.
    6. Re:People still use AOL-supplied AIM client? by j00r0m4nc3r · · Score: 1

      Almost everyone I know is using a 3rd-party multi-protocol app like Trillian or Gaim

      Do you know any soccer moms from rural Nebraska?

  4. Things like this... by Pojut · · Score: 1

    ...combined with excessive bloat are why I use Trillian.

    --
    Living With a Nerd
    1. Re:Things like this... by BosstonesOwn · · Score: 1

      From May http://crave.cnet.com/8301-1_105-9722313-1.html , but it shows that no IM client is secure , less bloated yes and patched faster yes , but not secure from some one willing and wanting to do harm.

      IMHO any open source IM client is inherently better. It's patched faster 90 % of the time.

      --
      This package Does Not Contain a Winner
  5. AIM?? by jcicora · · Score: 0

    I didn't realize people still used AIM. I thought everyone "cool" had moved on to MyFaceSpaceBook

    1. Re:AIM?? by Ajehals · · Score: 3, Funny

      Is that a web 3.0 site or is it web 95?

  6. Just kick the big one, go gaim. by TehSpida · · Score: 1, Insightful

    Uhhh, as far as I'm concerned if you still use AIM you deserve what you get, the only reason AOL itself is still around is because of our poor grandparents who don't know any better. I say "Boo on you" aol for taking advantage of our elderly community that doesn't know any better by forcing them to install additional programs such as "ViewPoint Media Player" if they want AIM. Its crap that you make Customers of your's download additional adware to help support your continued existence, just roll over and call it quits. Time Warner is the only way you have left. Period.

    1. Re:Just kick the big one, go gaim. by Anonymous Coward · · Score: 0

      People don't deserve misfortune simply because they are ignorant. That's like saying it's _your_ fault when the mechanic tells you it will cost $1000 to repair a $100 problem on your car, or that kids working in a sweatshop deserve to be paid $1 per day simply because they don't know they are sewing sweaters that retail for $250 in NYC.

    2. Re:Just kick the big one, go gaim. by buzzy452 · · Score: 1

      I agree with the above comment -- our "poor old grandparents" are people too! And, though they may be difficult to find, I'm sure there are plenty of people who still use the AIM client just because they honestly like it better. (Perish the thought.) AOL is showing a huge lack of propriety.

  7. Worms by Corpuscavernosa · · Score: 1, Funny

    Could AOL and Core's warning be described as "Wormsign"?

    --
    We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
  8. Are you mad? by pushing-robot · · Score: 4, Funny

    AOL creates a stable worm hole and you /. types want to close it? Bastards!

    --
    How can I believe you when you tell me what I don't want to hear?
    1. Re:Are you mad? by RockoTDF · · Score: 1

      Only AOL could make something so bloated and overdone that it collapses under....oh wait thats a black hole. Where is Mr. Hawking when we need him?

      --
      There is more to science than physics!

      www.iomalfunction.blogspot.com
    2. Re:Are you mad? by Alwin+Henseler · · Score: 1

      AOL creates a stable worm hole and you /. types want to close it? Bastards!

      You haven't seen what's on the other side, have you? Besides, this isn't one worm hole but many, spread all over the f**king place.

    3. Re:Are you mad? by Chris+Mattern · · Score: 2, Funny

      AOL creates a stable worm hole and you /. types want to close it? Bastards!


      The Prophets will hear of this!

      Chris Mattern
  9. Hehehehe... by halcyon1234 · · Score: 0, Troll
    Gaping A HOLE.

    I'll let some other troll post the goatse link.

    --
    UTF-8: There and Back Again
  10. For Mac Users: by cromar · · Score: 3, Informative

    Adium is a sweet, multi-service, OSS IM client.

    1. Re:For Mac Users: by cthulhu11 · · Score: 1

      Sweet modulo the long-standing inability to transfer files. Attempts to send them almost always fail; having someone send one to me when I'm running Adium is a sure-fire way to have it crash within 5 minutes. Yes, I reported it long ago.

  11. Linux version of exploit by Anonymous Coward · · Score: 0

    me: yada yada boobies!
    nob: waffle waffle
    me: boobies boobies!
    nob: <exploit>Please click calculator icon</exploit>
    me: no

    FOILED!

    1. Re:Linux version of exploit by CollegeKid092588 · · Score: 0, Offtopic

      you no idea what you're talking about- sometimes it's extremely hard to resist boobies

    2. Re:Linux version of exploit by Ajehals · · Score: 1

      Whilst reading your post I got the urge to launch xcalc, so I would have to say that Debian Stable *is* vulnerable.....

  12. This is how the end of software giants begins by zappepcs · · Score: 3, Interesting

    Their death is slow, torturous, tortuous, and painful to experience with them, but when they refuse to change with the times, and provide secure computing experience, customer's move on to something else. A word of warning for FOSS developers here.

    Today we see people suggesting strongly that users abandon MS's new OS for many reasons. This is the arguably dominant desktop OS across the globe, and they are losing face for nothing more than treating users and customers like idiots.

    It won't take long before no one will use AIM, and that problem will go away. Sure, it will still be around on someone's machine somewhere, but that user will die of stupidity soon anyway.

    I may sound sarcastic, but I'm not, this is how the end begins. Making stupid mistakes, letting end users suffer, and generally thinking that not creating superior products is necessary. I personally choose to suffer bad driver support or other shortcomings than allow the OS manufacturer spy on my computer use, or worse report it back to someone else.

    Google dances around this line quite a lot, but seems to still respect the user, and their privacy. I am seriously hoping that this issue becomes a US Presidential election issue. Privacy, security, and consumer rights where software is concerned. The MS stealth update is nothing more than malware. Commercial companies found guilty of DDoS and other sabotage efforts should be fined, and corporate officers imprisoned.

    Yes, I could make the hardware on my desk secure by unplugging the network cable, but I can also make my car safe from accidents if I leave it in the garage. Neither is a suitable answer. Common sense should be applied to this, if your vehicle suddenly stopped getting > 25mpg because you filled the tank with brand X gasoline it would be a case for federal investigations. My computers cost as much as my car, I spend a great deal of money each month on or via my network connection using those computers. It is time that personal liberties and security were treated the same whether it is in regard to computing, or any other activity.

    voting with your feet will eventually kill off the AIM client, but it should a case for a fine, if not more that the hole was left open negligently.

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:This is how the end of software giants begins by BosstonesOwn · · Score: 2, Insightful

      May I suggest you sell off that Yugo and 386 and move up to a Toyota corolla and Athlon 64 ?

      You won't see any of that happen until it hits home for a couple of the high ups in government, if their data gets stolen big deal its tax payers who foot the bill , but if some one steals their identity and ruins their life for a couple months maybe something will change.

      --
      This package Does Not Contain a Winner
  13. then dont use AIM by g8rboy · · Score: 1

    Then another reason to use proxy servers with your Trillian or GAIM accounts.

    1. Re:then dont use AIM by deftcoder · · Score: 1

      What the hell is a proxy server going to do besides just add more latency to your AIM session? (and potentially spy on it)

      --
      Peace sells, but who's buying?
    2. Re:then dont use AIM by rk075245 · · Score: 1

      Proxy appliances control Web access!!!!

  14. AIM, I miss you! by Anonymous Coward · · Score: 1, Funny

    I had to uninstall AIM after my wife cought me cybering with a Russian chick...

    1. Re:AIM, I miss you! by Anonymous Coward · · Score: 0

      Surely you've heard about the Russian "chicks" on AIM by now?

  15. 3rd party dependance by KevMar · · Score: 1

    I didnt read the details, but i would almost bet that they are using an IE control and dont imediatly know a way to fix the problem. So they are going to try and catch the exploit instead leaving them open to future creative attacks.

    I also think the use of the ie control will be the root of many more issues that have yet to be uncovered. If they could run that control in a restricted security setting, it would go along way. If its just for display only, strip it of all security and go on.

    If you just treat the entire control as hostile (it is IE isnt it), then it cant suprise you with something new and undocumented.

    Im sure its issues like this that introduced IE's use of zones. Not that it handles it any better, but I can see the idea behind it.

    --
    Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
    1. Re:3rd party dependance by BosstonesOwn · · Score: 1

      This brings to mind 1 question. Can we sandbox an IM client ? Maybe anything related to IE should no be sandboxed. Something has to be done to try and stem the worms that seem to just keep coming from IE based exploits.

      --
      This package Does Not Contain a Winner
    2. Re:3rd party dependance by TheRealMindChild · · Score: 1

      Thinstall

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    3. Re:3rd party dependance by KevMar · · Score: 1

      We do love to pick on IE, but the issue is more that that component has such a high target area and runs on so many computers. But the truth of it is any component could be just as bad. It easily could have been any other rendering engine that was used and one of there exploits could have been used. Firefox isnt bullet proof either.

      Using these as components only compounds the issue. its highly likely that the component wont be the newset version with the newest patches. so one could look at curent fixes and know what the older ones have problems with. What if its a component that does not have auto update and the user never uses the main product. We all know the problems with ie 5 or say firefox 1.0.

      --
      Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
  16. What to do now... by zdude255 · · Score: 3, Funny

    So, what's the windows equivalent of rm -rf /

    1. Re:What to do now... by Anonymous Coward · · Score: 1, Informative

      deltree /Y C:\

    2. Re:What to do now... by Anonymous Coward · · Score: 2, Informative

      For anything up to NT. For XP and higher, it'd be rmdir /S /Q C:

    3. Re:What to do now... by mcpkaaos · · Score: 5, Funny

      So, what's the windows equivalent of rm -rf /

      Visual SourceSafe.

      --
      It goes from God, to Jerry, to me.
    4. Re:What to do now... by Shados · · Score: 1

      I almost fell down my chair reading that one. Funny +6. Mostly because its true.

    5. Re:What to do now... by clustersnarf · · Score: 1

      deltree /Y c:\

    6. Re:What to do now... by Azuma+Hazuki · · Score: 1

      I believe it was format C:

      Might want to have a Linux LiveCD handy...you needed it before that command, but you'll *definitely* need it afterwards.

      --
      ~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
    7. Re:What to do now... by NightOath · · Score: 1

      i believe its: `deltree /y C:\` though gparted livecd may be a better idea...

  17. It's not GAIM anymore. by Alaria+Phrozen · · Score: 1

    It's called Pidgin now, you r-tard.

  18. OMG, mod this up! by Anonymous Coward · · Score: 0

    As someone who uses SourceSafe for years, I just about peed myself after reading this.

  19. ZOMG! by Cervantes · · Score: 1

    Oh my $deity.... this is amazing! Unfathomable! Shocking and awe-inspiring!

    AOL and AIM are still around???

    --
    If I knew the wedgies I gave you back in 6th grade would have resulted in this . . . I might have taken a moments pause.
    1. Re:ZOMG! by Phroggy · · Score: 1

      There's no good reason to use AOL, but AIM is an entirely different service, which continues to work just fine. Of course, many of us connect to it using a third-party client, but the official AIM client is the most reliable when it comes to things like file transfers and extra features, so some people use that, because it works.

      There are only three major IM networks that are used by a large enough number of normal people to make them worth bothering with: AIM, MSN Messenger, and Yahoo Messenger. A handful of geeks use Jabber. Everyone else has moved to web-based services like MySpace and Facebook to communicate (which only sounds painful to those of us who know the difference between e-mail and webmail).

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  20. Why AOL exists by SoapBox17 · · Score: 1

    AOL is a much bigger company than just the online service. For example, they own advertizing.com... Which I'm sure makes them a lot of money.

  21. Forget installing software...just Meebo by fsckr · · Score: 4, Interesting

    I've been using meebo.com for about a year and up until a couple of weeks ago, the only failing was that it didn't have file transfer capabilities. Now that they fixed that, the site is about as good as an IM client can get + no need to install software (and it even works on iphone etc...)

    Oh yeah, and there's no need to remember multiple account password

    --
    fsckr.com - go fusk yourself!
  22. IM risk to use by rk075245 · · Score: 1

    The widespread use of instant messaging (IM) continues to increase the security risks for both organizations and individual users. While instant messaging can be a very useful communication tool, it is also subject to many security concerns. Recent attacks include new variations in the establishment and spread of botnets, and the use of compromised instant messaging accounts to lure users into revealing sensitive information. Variants of e-mail worms (such as the Mytob family) have also been spread through the use of instant messaging. The general risk areas related to instant messaging are:

    Malware -- Worms, viruses, and Trojans transferred through the use of instant messaging. Many bots are controlled via IRC channels.

    Information confidentiality -- Information transferred via instant messaging can be subject to disclosure along any part of the process.

    Network -- Denial of service attacks; excessive network capacity utilization, even through legitimate use.

    Application vulnerabilities -- Instant messaging applications contain vulnerabilities that can be exploited to compromise affected systems.

  23. Aim will me moving to to ICQ soon. by johnsie · · Score: 0

    Aol recently announced that they will be moving the all their IM development over to ICQ Israel. Hopefully they will do a better job with the IM than aol were doing. Aol has never been a good IM. I dont know what people here think of ICQ, but back in the day ICQ was the best IM until the big corps like aol, yahoo and msn jumped in. Eventually ICQ turned a bit bloated and that's when I stopped using it. I hope ICQ make some big changes to the aol messenger.

  24. Old versions NOT impacted. Stick with 3.x or 4.x by Anonymous Coward · · Score: 0

    This is precisely why I have stayed with the older versions that came with Netscape Communicator. Simply put, they're not vulnerable, as they do not rely on the existence of Internet Explorer in any way. There has never been any compelling reason to use any version of AIM > 4.3.

  25. What's worse? Bloat, or cpu usage? by znerk · · Score: 1

    I used to think Trillian was the be-all end-all... a single client that accesses half a dozen networks. Beautiful, right? Sure, until you realize that Trill cheerfully eats up to 80% cpu on a system when it's actively doing something; and the wiki interface, while very cool, breaks within a few weeks of "normal" usage. Hmm. Now that I think of it, those two items may be related.

    --
    This work is licensed under a Creative Commons Attribution 3.0 Unported License.
  26. Well, I always thougt AOL was a black hole by Mercano · · Score: 1

    I mean, unless they're near a black hole or are pumping an insane amount of power into it, the wormhole should have taken care of itself and collapsed in 38 minutes. In other news, a new season of Stargate, sans SG-1, starts tonight.

    --
    #include <signature.h>
  27. What versions? by Anonymous Coward · · Score: 0

    What versions have this hole?

    I'm using version 5.1.3036 from oldversion.com. It's the last version that doesn't start playing video/audio at random times.

  28. what else can be do??? by aman534 · · Score: 1

    hurm, it looks like they have to wait until the middle of October. Meanwhile, they can switch to meebo or pidig if they want to :P