Despite AOL's Claim, AIM Worm Hole Still Wide Open

Clown of the month writes "There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October. This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control. AOL coordinated with Core on the release of an advisory, on the understanding that the flaw was patched in the latest beta version. As security researcher Aviv Raff discovered, the underlying vulnerability was never fixed. In the demonstration, Raff simply sent an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages."

Re:just use pidgin!

[Sarten-X]

Indeed. I've been using pidgin/GAIM for 3 years, and recommend it to everyone whose computer I've had to remove viruses from. There's really little reason to use AOL or MSN's client.

Just kick the big one, go gaim.

[TehSpida]

Uhhh, as far as I'm concerned if you still use AIM you deserve what you get, the only reason AOL itself is still around is because of our poor grandparents who don't know any better. I say "Boo on you" aol for taking advantage of our elderly community that doesn't know any better by forcing them to install additional programs such as "ViewPoint Media Player" if they want AIM. Its crap that you make Customers of your's download additional adware to help support your continued existence, just roll over and call it quits. Time Warner is the only way you have left. Period.

Re:just use pidgin!

[Cal Paterson]

Here's a perfect example of where an open-source solution beats the pants off a commercial one.

This statement, while true, doesn't say a lot. Pidgin does have a lot of shortcomings (though it's all I use).

Re:This is how the end of software giants begins

[BosstonesOwn]

May I suggest you sell off that Yugo and 386 and move up to a Toyota corolla and Athlon 64 ?

You won't see any of that happen until it hits home for a couple of the high ups in government, if their data gets stolen big deal its tax payers who foot the bill , but if some one steals their identity and ruins their life for a couple months maybe something will change.

Re:People still use AOL-supplied AIM client?

[dunezone]

Why not? The majority of individuals who grew up during the 90s grew up using AOL. Were accustomed to AIM and its user interface. Why do you think they still offer the old 5.9 version? And the open-source solution doesnt help them either. These people dont want change and they dont want to learn anything new. This is why people still use Windows.

Re:People still use AOL-supplied AIM client?

[Dunbal]

I cut my teeth on CompuServe and closed my accounts when they merged with AOL. AOL sucked back then, and it still sucks now. Only reason they ever became popular is because at least half the population of (insert country here) is ignorant.