Slashdot Mirror

← Back to Stories (view on slashdot.org)

Despite AOL's Claim, AIM Worm Hole Still Wide Open

Posted by Zonk on from the perhaps-they-should-fix-that dept.

Clown of the month writes "There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October. This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control. AOL coordinated with Core on the release of an advisory, on the understanding that the flaw was patched in the latest beta version. As security researcher Aviv Raff discovered, the underlying vulnerability was never fixed. In the demonstration, Raff simply sent an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages."

6 of 75 comments (clear)

  1. wormhole? by FlashBuster3000 · · Score: 4, Funny

    Let me welcome our new Dominion Overlords!

  2. Re:just use pidgin! by Sarten-X · · Score: 4, Insightful

    Indeed. I've been using pidgin/GAIM for 3 years, and recommend it to everyone whose computer I've had to remove viruses from. There's really little reason to use AOL or MSN's client.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  3. Are you mad? by pushing-robot · · Score: 4, Funny

    AOL creates a stable worm hole and you /. types want to close it? Bastards!

    --
    How can I believe you when you tell me what I don't want to hear?
  4. Re:just use pidgin! by Cal+Paterson · · Score: 4, Insightful

    Here's a perfect example of where an open-source solution beats the pants off a commercial one.
    This statement, while true, doesn't say a lot. Pidgin does have a lot of shortcomings (though it's all I use).
  5. Re:What to do now... by mcpkaaos · · Score: 5, Funny

    So, what's the windows equivalent of rm -rf /

    Visual SourceSafe.

    --
    It goes from God, to Jerry, to me.
  6. Forget installing software...just Meebo by fsckr · · Score: 4, Interesting

    I've been using meebo.com for about a year and up until a couple of weeks ago, the only failing was that it didn't have file transfer capabilities. Now that they fixed that, the site is about as good as an IM client can get + no need to install software (and it even works on iphone etc...)

    Oh yeah, and there's no need to remember multiple account password

    --
    fsckr.com - go fusk yourself!