Forgot your password?
typodupeerror
Security America Online Communications IT

Despite AOL's Claim, AIM Worm Hole Still Wide Open 75

Posted by Zonk
from the perhaps-they-should-fix-that dept.
Clown of the month writes "There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October. This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control. AOL coordinated with Core on the release of an advisory, on the understanding that the flaw was patched in the latest beta version. As security researcher Aviv Raff discovered, the underlying vulnerability was never fixed. In the demonstration, Raff simply sent an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages."
This discussion has been archived. No new comments can be posted.

Despite AOL's Claim, AIM Worm Hole Still Wide Open

Comments Filter:
  • just use pidgin! (Score:4, Interesting)

    by mwilliamson (672411) on Thursday September 27, 2007 @05:20PM (#20774571) Homepage Journal
    Here's a perfect example of where an open-source solution beats the pants off a commercial one.
    • by Sarten-X (1102295) on Thursday September 27, 2007 @05:23PM (#20774605) Homepage
      Indeed. I've been using pidgin/GAIM for 3 years, and recommend it to everyone whose computer I've had to remove viruses from. There's really little reason to use AOL or MSN's client.
    • by centinall (868713)
      I don't think that Pidgin can render HTML, or least do it yet. Although why you would really want to do this is lost to me.
      • So it can render the emoticons every one seems to love. Or if your like me hate with a passion.

        I think it also transports the text and such in XML which is why it uses the rendering engine.
    • by p0tat03 (985078)
      Agreed. Although the lack of offline messaging in MSN is annoying, pidgin does everything I want MSN to do, with none of the things that the official client does that I hate.
    • For Mac Users: (Score:4, Informative)

      by cromar (1103585) on Thursday September 27, 2007 @05:37PM (#20774807)
      Adium [adiumx.com] is a sweet, multi-service, OSS IM client.
      • by cthulhu11 (842924)
        Sweet modulo the long-standing inability to transfer files. Attempts to send them almost always fail; having someone send one to me when I'm running Adium is a sure-fire way to have it crash within 5 minutes. Yes, I reported it long ago.
    • by Cal Paterson (881180) * on Thursday September 27, 2007 @05:48PM (#20774937)

      Here's a perfect example of where an open-source solution beats the pants off a commercial one.
      This statement, while true, doesn't say a lot. Pidgin does have a lot of shortcomings (though it's all I use).
      • Personally, I use an IM to chat with friends; it works perfectly fine for that, so I don't really care what shortcomings Pidgin has. My only weakness is I haven't worked out how to get it installed on my computer (Ubuntu 64 bit), yet.
        • One thing I failed to point out, though; I haven't really been trying too hard.
        • by dlgeek (1065796)
          Gutsy: as root: apt-get install pidgin Dapper/Edgy/Feisty still have an older version from before the name changed: as root: apt-get install gaim There, you're done.
    • by kryptkpr (180196)
      My problem with Pidgin is with the rather plain way it looks. Kopete [kde.org] has a killer theming engine and many themes which are far more polished (imho) then Pidgin.
      • I like my logging. I have a complete history of everything that anyone has ever said to me available in the log, and I can always pick up where I left off.

        Pidgin has *almost* replaced e-mail for me.
    • by Dunbal (464142)
      Here's yet another perfect example of where an open-source solution beats the pants off a commercial one.

      There, fixed it for you.

  • wormhole? (Score:4, Funny)

    by FlashBuster3000 (319616) on Thursday September 27, 2007 @05:21PM (#20774577) Homepage
    Let me welcome our new Dominion Overlords!
  • by necro2607 (771790) on Thursday September 27, 2007 @05:24PM (#20774617)
    Err, people actually still use the AIM client supplied by AOL? Almost everyone I know is using a 3rd-party multi-protocol app like Trillian or Gaim (on Windows) or Adium or iChat on OS X. I'd be totally surprised to see someone actually running the [IMO] horrible client made by AOL.
    • Re: (Score:1, Interesting)

      by Anonymous Coward
      Know any normal people ? In other words people not in IT nor techinically inclined ? Unfortunately I see this crap stil used on tons of clients PC's ranging from secretaries to the head partners in various firms -

    • Re: (Score:2, Informative)

      by Kazrath (822492)
      Plenty of reasons to name one major one.

      Many major financial & trading firms use IM clients of all breeds to interact with customers/clients/associates on a daily basis. These communications need to have specific rules enforced against and all communications recorded for them to be compliant. Many of the third party IM clients do not intergrate correctly with software that performs the management/proxying of IM traffic within an enterprise environment or could allow access on protocols that are restri
    • Re: (Score:3, Insightful)

      by dunezone (899268)
      Why not? The majority of individuals who grew up during the 90s grew up using AOL. Were accustomed to AIM and its user interface. Why do you think they still offer the old 5.9 version? And the open-source solution doesnt help them either. These people dont want change and they dont want to learn anything new. This is why people still use Windows.
      • Re: (Score:3, Insightful)

        by Dunbal (464142)
        I cut my teeth on CompuServe and closed my accounts when they merged with AOL. AOL sucked back then, and it still sucks now. Only reason they ever became popular is because at least half the population of (insert country here) is ignorant.
    • Yeah, I'll go on record and agree with the AC - there are PLENTY of people out there who have no idea what GAIM/Trillian/etc. even are. They aren't technical; they are less likely to patch or maintain AV, they are more likely to have a boatload of spyware clogging their IE browser. The unwashed masses. They include your neighbor, your doctor, and your garbageman. They are legion.
    • Almost everyone I know is using a 3rd-party multi-protocol app like Trillian or Gaim

      Do you know any soccer moms from rural Nebraska?
  • ...combined with excessive bloat are why I use Trillian.
    • From May http://crave.cnet.com/8301-1_105-9722313-1.html [cnet.com] , but it shows that no IM client is secure , less bloated yes and patched faster yes , but not secure from some one willing and wanting to do harm.

      IMHO any open source IM client is inherently better. It's patched faster 90 % of the time.
    • I used to think Trillian was the be-all end-all... a single client that accesses half a dozen networks. Beautiful, right? Sure, until you realize that Trill cheerfully eats up to 80% cpu on a system when it's actively doing something; and the wiki interface, while very cool, breaks within a few weeks of "normal" usage. Hmm. Now that I think of it, those two items may be related.
  • Uhhh, as far as I'm concerned if you still use AIM you deserve what you get, the only reason AOL itself is still around is because of our poor grandparents who don't know any better. I say "Boo on you" aol for taking advantage of our elderly community that doesn't know any better by forcing them to install additional programs such as "ViewPoint Media Player" if they want AIM. Its crap that you make Customers of your's download additional adware to help support your continued existence, just roll over and ca
    • It's called Pidgin now, you r-tard.
    • AOL is a much bigger company than just the online service. For example, they own advertizing.com... Which I'm sure makes them a lot of money.
  • Worms (Score:1, Funny)

    Could AOL and Core's warning be described as "Wormsign"?
  • by pushing-robot (1037830) on Thursday September 27, 2007 @05:26PM (#20774657)
    AOL creates a stable worm hole and you /. types want to close it? Bastards!
    • by RockoTDF (1042780)
      Only AOL could make something so bloated and overdone that it collapses under....oh wait thats a black hole. Where is Mr. Hawking when we need him?
    • AOL creates a stable worm hole and you /. types want to close it? Bastards!

      You haven't seen what's on the other side, have you? Besides, this isn't one worm hole but many, spread all over the f**king place.

    • Re: (Score:3, Funny)

      by Chris Mattern (191822)

      AOL creates a stable worm hole and you /. types want to close it? Bastards!


      The Prophets will hear of this!

      Chris Mattern
  • Hehehehe... (Score:1, Troll)

    by halcyon1234 (834388)
    Gaping A HOLE.

    I'll let some other troll post the goatse link.

    • The widespread use of instant messaging (IM) continues to increase the security risks for both organizations and individual users. While instant messaging can be a very useful communication tool, it is also subject to many security concerns. Recent attacks include new variations in the establishment and spread of botnets, and the use of compromised instant messaging accounts to lure users into revealing sensitive information. Variants of e-mail worms (such as the Mytob family) have also been spread through
  • by zappepcs (820751) on Thursday September 27, 2007 @05:39PM (#20774835) Journal
    Their death is slow, torturous, tortuous, and painful to experience with them, but when they refuse to change with the times, and provide secure computing experience, customer's move on to something else. A word of warning for FOSS developers here.

    Today we see people suggesting strongly that users abandon MS's new OS for many reasons. This is the arguably dominant desktop OS across the globe, and they are losing face for nothing more than treating users and customers like idiots.

    It won't take long before no one will use AIM, and that problem will go away. Sure, it will still be around on someone's machine somewhere, but that user will die of stupidity soon anyway.

    I may sound sarcastic, but I'm not, this is how the end begins. Making stupid mistakes, letting end users suffer, and generally thinking that not creating superior products is necessary. I personally choose to suffer bad driver support or other shortcomings than allow the OS manufacturer spy on my computer use, or worse report it back to someone else.

    Google dances around this line quite a lot, but seems to still respect the user, and their privacy. I am seriously hoping that this issue becomes a US Presidential election issue. Privacy, security, and consumer rights where software is concerned. The MS stealth update is nothing more than malware. Commercial companies found guilty of DDoS and other sabotage efforts should be fined, and corporate officers imprisoned.

    Yes, I could make the hardware on my desk secure by unplugging the network cable, but I can also make my car safe from accidents if I leave it in the garage. Neither is a suitable answer. Common sense should be applied to this, if your vehicle suddenly stopped getting > 25mpg because you filled the tank with brand X gasoline it would be a case for federal investigations. My computers cost as much as my car, I spend a great deal of money each month on or via my network connection using those computers. It is time that personal liberties and security were treated the same whether it is in regard to computing, or any other activity.

    voting with your feet will eventually kill off the AIM client, but it should a case for a fine, if not more that the hole was left open negligently.
    • Re: (Score:2, Insightful)

      by BosstonesOwn (794949)
      May I suggest you sell off that Yugo and 386 and move up to a Toyota corolla and Athlon 64 ?

      You won't see any of that happen until it hits home for a couple of the high ups in government, if their data gets stolen big deal its tax payers who foot the bill , but if some one steals their identity and ruins their life for a couple months maybe something will change.
  • Then another reason to use proxy servers with your Trillian or GAIM accounts.
  • by Anonymous Coward
    I had to uninstall AIM after my wife cought me cybering with a Russian chick...
  • I didnt read the details, but i would almost bet that they are using an IE control and dont imediatly know a way to fix the problem. So they are going to try and catch the exploit instead leaving them open to future creative attacks.

    I also think the use of the ie control will be the root of many more issues that have yet to be uncovered. If they could run that control in a restricted security setting, it would go along way. If its just for display only, strip it of all security and go on.

    If you just trea
    • This brings to mind 1 question. Can we sandbox an IM client ? Maybe anything related to IE should no be sandboxed. Something has to be done to try and stem the worms that seem to just keep coming from IE based exploits.
      • Thinstall [thinstall.com]
      • by KevMar (471257)
        We do love to pick on IE, but the issue is more that that component has such a high target area and runs on so many computers. But the truth of it is any component could be just as bad. It easily could have been any other rendering engine that was used and one of there exploits could have been used. Firefox isnt bullet proof either.

        Using these as components only compounds the issue. its highly likely that the component wont be the newset version with the newest patches. so one could look at curent fixes
  • by zdude255 (1013257) on Thursday September 27, 2007 @06:03PM (#20775139)
    So, what's the windows equivalent of rm -rf /
  • Oh my $deity.... this is amazing! Unfathomable! Shocking and awe-inspiring!

    AOL and AIM are still around???
    • by Phroggy (441)
      There's no good reason to use AOL, but AIM is an entirely different service, which continues to work just fine. Of course, many of us connect to it using a third-party client, but the official AIM client is the most reliable when it comes to things like file transfers and extra features, so some people use that, because it works.

      There are only three major IM networks that are used by a large enough number of normal people to make them worth bothering with: AIM, MSN Messenger, and Yahoo Messenger. A handf
  • I mean, unless they're near a black hole or are pumping an insane amount of power into it, the wormhole should have taken care of itself and collapsed in 38 minutes. In other news, a new season of Stargate, sans SG-1, starts tonight.
  • hurm, it looks like they have to wait until the middle of October. Meanwhile, they can switch to meebo or pidig if they want to :P

Possessions increase to fill the space available for their storage. -- Ryan

Working...