Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security America Online Communications IT

Despite AOL's Claim, AIM Worm Hole Still Wide Open 75

Posted by Zonk from the perhaps-they-should-fix-that dept.
Clown of the month writes "There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October. This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control. AOL coordinated with Core on the release of an advisory, on the understanding that the flaw was patched in the latest beta version. As security researcher Aviv Raff discovered, the underlying vulnerability was never fixed. In the demonstration, Raff simply sent an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages."
This discussion has been archived. No new comments can be posted.

Despite AOL's Claim, AIM Worm Hole Still Wide Open More

Despite AOL's Claim, AIM Worm Hole Still Wide Open

Comments Filter:

  • just use pidgin! (Score:4, Interesting)

    by mwilliamson ( 672411 ) on Thursday September 27, 2007 @05:20PM (#20774571) Homepage Journal
    Here's a perfect example of where an open-source solution beats the pants off a commercial one.

  • People still use AOL-supplied AIM client? (Score:4, Interesting)

    by necro2607 ( 771790 ) on Thursday September 27, 2007 @05:24PM (#20774617)
    Err, people actually still use the AIM client supplied by AOL? Almost everyone I know is using a 3rd-party multi-protocol app like Trillian or Gaim (on Windows) or Adium or iChat on OS X. I'd be totally surprised to see someone actually running the [IMO] horrible client made by AOL.

  • Re:People still use AOL-supplied AIM client? (Score:1, Interesting)

    by Anonymous Coward on Thursday September 27, 2007 @05:35PM (#20774787)
    Know any normal people ? In other words people not in IT nor techinically inclined ? Unfortunately I see this crap stil used on tons of clients PC's ranging from secretaries to the head partners in various firms -

  • This is how the end of software giants begins (Score:4, Interesting)

    by zappepcs ( 820751 ) on Thursday September 27, 2007 @05:39PM (#20774835) Journal
    Their death is slow, torturous, tortuous, and painful to experience with them, but when they refuse to change with the times, and provide secure computing experience, customer's move on to something else. A word of warning for FOSS developers here.

    Today we see people suggesting strongly that users abandon MS's new OS for many reasons. This is the arguably dominant desktop OS across the globe, and they are losing face for nothing more than treating users and customers like idiots.

    It won't take long before no one will use AIM, and that problem will go away. Sure, it will still be around on someone's machine somewhere, but that user will die of stupidity soon anyway.

    I may sound sarcastic, but I'm not, this is how the end begins. Making stupid mistakes, letting end users suffer, and generally thinking that not creating superior products is necessary. I personally choose to suffer bad driver support or other shortcomings than allow the OS manufacturer spy on my computer use, or worse report it back to someone else.

    Google dances around this line quite a lot, but seems to still respect the user, and their privacy. I am seriously hoping that this issue becomes a US Presidential election issue. Privacy, security, and consumer rights where software is concerned. The MS stealth update is nothing more than malware. Commercial companies found guilty of DDoS and other sabotage efforts should be fined, and corporate officers imprisoned.

    Yes, I could make the hardware on my desk secure by unplugging the network cable, but I can also make my car safe from accidents if I leave it in the garage. Neither is a suitable answer. Common sense should be applied to this, if your vehicle suddenly stopped getting > 25mpg because you filled the tank with brand X gasoline it would be a case for federal investigations. My computers cost as much as my car, I spend a great deal of money each month on or via my network connection using those computers. It is time that personal liberties and security were treated the same whether it is in regard to computing, or any other activity.

    voting with your feet will eventually kill off the AIM client, but it should a case for a fine, if not more that the hole was left open negligently.

  • Forget installing software...just Meebo (Score:4, Interesting)

    by fsckr ( 965056 ) on Thursday September 27, 2007 @10:09PM (#20777501) Homepage
    I've been using meebo.com for about a year and up until a couple of weeks ago, the only failing was that it didn't have file transfer capabilities. Now that they fixed that, the site is about as good as an IM client can get + no need to install software (and it even works on iphone etc...)

    Oh yeah, and there's no need to remember multiple account password

Slashdot Top Deals

Today is a good day for information-gathering. Read someone else's mail file.

Close