Slashdot Mirror

← Back to Stories (view on slashdot.org)

Despite AOL's Claim, AIM Worm Hole Still Wide Open

Posted by Zonk on from the perhaps-they-should-fix-that dept.

Clown of the month writes "There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October. This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control. AOL coordinated with Core on the release of an advisory, on the understanding that the flaw was patched in the latest beta version. As security researcher Aviv Raff discovered, the underlying vulnerability was never fixed. In the demonstration, Raff simply sent an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages."

18 of 75 comments (clear)

  1. just use pidgin! by mwilliamson · · Score: 3, Interesting

    Here's a perfect example of where an open-source solution beats the pants off a commercial one.

    1. Re:just use pidgin! by Sarten-X · · Score: 4, Insightful

      Indeed. I've been using pidgin/GAIM for 3 years, and recommend it to everyone whose computer I've had to remove viruses from. There's really little reason to use AOL or MSN's client.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:just use pidgin! by Cal+Paterson · · Score: 4, Insightful

      Here's a perfect example of where an open-source solution beats the pants off a commercial one.
      This statement, while true, doesn't say a lot. Pidgin does have a lot of shortcomings (though it's all I use).
  2. wormhole? by FlashBuster3000 · · Score: 4, Funny

    Let me welcome our new Dominion Overlords!

  3. People still use AOL-supplied AIM client? by necro2607 · · Score: 3, Interesting

    Err, people actually still use the AIM client supplied by AOL? Almost everyone I know is using a 3rd-party multi-protocol app like Trillian or Gaim (on Windows) or Adium or iChat on OS X. I'd be totally surprised to see someone actually running the [IMO] horrible client made by AOL.

    1. Re:People still use AOL-supplied AIM client? by Kazrath · · Score: 2, Informative

      Plenty of reasons to name one major one.

      Many major financial & trading firms use IM clients of all breeds to interact with customers/clients/associates on a daily basis. These communications need to have specific rules enforced against and all communications recorded for them to be compliant. Many of the third party IM clients do not intergrate correctly with software that performs the management/proxying of IM traffic within an enterprise environment or could allow access on protocols that are restricted.

    2. Re:People still use AOL-supplied AIM client? by dunezone · · Score: 2, Insightful

      Why not? The majority of individuals who grew up during the 90s grew up using AOL. Were accustomed to AIM and its user interface. Why do you think they still offer the old 5.9 version? And the open-source solution doesnt help them either. These people dont want change and they dont want to learn anything new. This is why people still use Windows.

    3. Re:People still use AOL-supplied AIM client? by Dunbal · · Score: 2, Insightful

      I cut my teeth on CompuServe and closed my accounts when they merged with AOL. AOL sucked back then, and it still sucks now. Only reason they ever became popular is because at least half the population of (insert country here) is ignorant.

      --
      Seven puppies were harmed during the making of this post.
  4. Are you mad? by pushing-robot · · Score: 4, Funny

    AOL creates a stable worm hole and you /. types want to close it? Bastards!

    --
    How can I believe you when you tell me what I don't want to hear?
    1. Re:Are you mad? by Chris+Mattern · · Score: 2, Funny

      AOL creates a stable worm hole and you /. types want to close it? Bastards!


      The Prophets will hear of this!

      Chris Mattern
  5. For Mac Users: by cromar · · Score: 3, Informative

    Adium is a sweet, multi-service, OSS IM client.

  6. This is how the end of software giants begins by zappepcs · · Score: 3, Interesting

    Their death is slow, torturous, tortuous, and painful to experience with them, but when they refuse to change with the times, and provide secure computing experience, customer's move on to something else. A word of warning for FOSS developers here.

    Today we see people suggesting strongly that users abandon MS's new OS for many reasons. This is the arguably dominant desktop OS across the globe, and they are losing face for nothing more than treating users and customers like idiots.

    It won't take long before no one will use AIM, and that problem will go away. Sure, it will still be around on someone's machine somewhere, but that user will die of stupidity soon anyway.

    I may sound sarcastic, but I'm not, this is how the end begins. Making stupid mistakes, letting end users suffer, and generally thinking that not creating superior products is necessary. I personally choose to suffer bad driver support or other shortcomings than allow the OS manufacturer spy on my computer use, or worse report it back to someone else.

    Google dances around this line quite a lot, but seems to still respect the user, and their privacy. I am seriously hoping that this issue becomes a US Presidential election issue. Privacy, security, and consumer rights where software is concerned. The MS stealth update is nothing more than malware. Commercial companies found guilty of DDoS and other sabotage efforts should be fined, and corporate officers imprisoned.

    Yes, I could make the hardware on my desk secure by unplugging the network cable, but I can also make my car safe from accidents if I leave it in the garage. Neither is a suitable answer. Common sense should be applied to this, if your vehicle suddenly stopped getting > 25mpg because you filled the tank with brand X gasoline it would be a case for federal investigations. My computers cost as much as my car, I spend a great deal of money each month on or via my network connection using those computers. It is time that personal liberties and security were treated the same whether it is in regard to computing, or any other activity.

    voting with your feet will eventually kill off the AIM client, but it should a case for a fine, if not more that the hole was left open negligently.

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:This is how the end of software giants begins by BosstonesOwn · · Score: 2, Insightful

      May I suggest you sell off that Yugo and 386 and move up to a Toyota corolla and Athlon 64 ?

      You won't see any of that happen until it hits home for a couple of the high ups in government, if their data gets stolen big deal its tax payers who foot the bill , but if some one steals their identity and ruins their life for a couple months maybe something will change.

      --
      This package Does Not Contain a Winner
  7. Re:AIM?? by Ajehals · · Score: 3, Funny

    Is that a web 3.0 site or is it web 95?

  8. What to do now... by zdude255 · · Score: 3, Funny

    So, what's the windows equivalent of rm -rf /

    1. Re:What to do now... by Anonymous Coward · · Score: 2, Informative

      For anything up to NT. For XP and higher, it'd be rmdir /S /Q C:

    2. Re:What to do now... by mcpkaaos · · Score: 5, Funny

      So, what's the windows equivalent of rm -rf /

      Visual SourceSafe.

      --
      It goes from God, to Jerry, to me.
  9. Forget installing software...just Meebo by fsckr · · Score: 4, Interesting

    I've been using meebo.com for about a year and up until a couple of weeks ago, the only failing was that it didn't have file transfer capabilities. Now that they fixed that, the site is about as good as an IM client can get + no need to install software (and it even works on iphone etc...)

    Oh yeah, and there's no need to remember multiple account password

    --
    fsckr.com - go fusk yourself!