AOL Instant Messenger Remote Hole 343
The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."
How to protect yourself (Score:5, Informative)
We recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz [ssnbc.com]) to protect yourselves. A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me."
Re:How to protect yourself (Score:3, Informative)
UPDATE: AOL will be fixing this in the server side within a day or two.
Re:How to NOT protect yourself (Score:3, Informative)
AIM Filter being the program that, if not a trojan, at least has various remote access abilities.
See the bugtraq archive [securityfocus.com] for more information.
Amusing that its use is recommended in the security advisory.
Re:How to protect yourself (Score:2)
you have nice friends. i don't. we get into wars where we warn each other off IM on a daily basis.
now to go download the exploit and really sock it to 'em!
Re:How to protect yourself (Score:2, Insightful)
``We have identified the issue and have developed a resolution that should be deployed in the next day or two,'' AOL's Andrew Weinstein said. ``To our knowledge, this issue has not affected any users.'' ``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,'' Weinstein said.
I'd appreciate it if AOL would get their act together and take some responsibility for writing the piece of crap and its corresponding holes. What ever happened to auditing code? This is just plain ignorance on how to deal with buffer overruns. And probably not a little of Window's holes that the programmers take for granted.
I just don't like that AOL wants to buy time to spin the issue to save their face by releasing notice of the hole and the cure at the same time, but I also realise that half the jerks out there are going to run this little tool to blow a bunch of random machines on the Internet. Why exactly didn't AOL respond to messages over the holidays? Surely they were staffed by some. I guess they'll make sure to check to see if "they've got mail" next time.
Re:How to protect yourself (Score:2, Insightful)
Re:How to protect yourself (Score:2)
You have mail! (Score:3, Funny)
Not to be really dark and evil, but... (Score:2, Funny)
Marriages would be broken.
Important MS memos would be leaked.
VPs with high salaries would be exposed.
Oh, if I had the balls to write such things...
Re:Not to be really dark and evil, but... (Score:2)
Why not wait a day? (Score:2, Insightful)
Re:Why not wait a day? (Score:5, Insightful)
Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".
Re:Why not wait a day? (Score:5, Insightful)
All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.
These actions wouldn't fly in the real world without legal repercussions. And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term? Is there anyone out there who really believes this isn't being done to take a stab at big corporations for big corporations' sake, by individuals who thrive in the gray area of the law?
There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.
Re:Why not wait a day? (Score:5, Insightful)
additionally, in your analogy, for each poster up on the telephone pole, they would have included a box full of replacement keypads (or whatever) to fix the problem; w00w00 did list a place to download a proxy that will serve as a temporary fix. it's allowing people to be able to make the decision to protect themselves, instead of being subject to the whims of Big Bad Corporation X's product life cycle.
just the old regulated security VS. freedom debate.
Re:Why not wait a day? (Score:2, Insightful)
Re:Why not wait a day? (Score:3, Interesting)
I'd like to start by stating that I don't condone w00w00's (gad what a name) actions, I was simply offering a possible answer to a question (which, for some reason, got modded up all to hell. I guess the SlashThink mindset agrees with all that appears to screw corporations).
Now, in an attempt to answer your question - I think this sort of thing is defnitely a free speech issue, and I think in some cases it's justified.
Let's take your example of a GM exploit - if I discovered such a thing and called GM about it (even if I were a registered/certified GM mechanic) - how many layers of corporate denial, obfuscation and red tape do you think I'd encounter? After all, a recall to fix the problem is going to cost some green, and I'm just some schmuck mechanic. So how long do you think it would take GM to fix the problem, versus the amount of time that someone who liked stealing cars figured it out?
If instead of calling GM I phoned the local TV stations and demonstrated the problems - do you think that would speed up a GM recall? I sure do.
Does this hurt the corporation? Yes. But then it was the corporation that created the exploit, or failed to close it. You reap what you sow.
And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term?
The same could be said about an internet article that explains how to pick locks. Should such sites be shut down, in the name of the public interest?
Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.
Which is the greater endangerment: the discription of an exploit, or the exploit's existance?
Re:Why not wait a day? (Score:3, Insightful)
Does this make me a murderer? (Score:2, Interesting)
1. Humans are mortal
2. Poking a big hole in a human can kill it
3. Humans are the weak spot in bank security
4. Humans fear having holes poked in them
5. Guns are effective tools for poking holes in humans
6. Pointing guns at humans can get them to do what you want
7. Humans in banks will give you money if you point a gun at them
8. To kill a human quickly, shoot it in the heart or head
9. Explosives are also very effective
My apologies to all for whom this information represents a decrease in personal security. But rest assured, your firewall will continue to function long after your life has drained away.
Re:Does this make me a murderer? (Score:2)
- Computers are breakable
- Poking a big hole in a computer can break it
- Guns are affective tools for poking holes in computers
- Firewall software doesn't run in broken computers
- To stop a firewall quickly shoot the computer just about anywere
And remeber kids - If you shoot a brand computer don't peek inside or you might be breaking the DCMARe:Why not wait a day? (Score:2)
------
We contacted the AOL Instant Messenger group but never received a response. Normally we would be inclined to provide a fix, but it is illegal to reverse engineer the AIM executable (DMCA and AIM's license agreement to thank), so we are unable to provide a patch which will modify it. Instead, we recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz/) to protect yourselves.
------
They notified AOL, they got no reply. They did the right thing. End of story.
Re:Why not wait a day? (Score:2, Informative)
They sure as hell *did* want to embarrass AOL, and you know why? Because telling people something gets things done! If w00w00 had elected *not* to tell AOL, this bug could have been sitting out there for many months to come, and by the time AOL finally did decide to fix it, it could have reached epic proportions.
Well let's see. The situation went from a few dozen (hundred?) people being able to exploit an obscure hole to hundreds of thousands knowing how in detail.
But most boxen on which AOL is run are on narrowband connections, on the less powerful of the Windows operating systems, and turned off most of the time. Any exploitation (beyond vast compromise, which would likely be picked up by AOL staff) would be for little more than just making trouble.
Think about it: even if deployment of a bug fix hadn't been slated for another month, all w00w00 accomplished was a dramatic increase in AOL's (and AOL users') damage exposure. They did the self-righteous thing.
OK, let's do some rough math right now. Say that yesterday, J. Random Cracker found this m4d AOL exploit. He would prolly relay it to his friends to show how 1337 he was through (most likely) IRC. Assuming that he's on a fairly good-sized IRC channel, 20-50 people learn about the exploit right there. It spreads in much the same way throughout the "hacker" underground, and within hours, hundreds of thousands of l33t h4x0rz all know about the exploit and begin using it on hapless AOL users (few, if any, of whom are running any server daemons). This will go on until:
a) The magnitude of the traffic is large enough to show up on AOL's collective radar,
b) An attacker suddenly gets a pang of conscience and reports the exploit to a security firm, or
c) A computer with sufficiently robust security gets hit (either by the attackers' AOL exploits or attacks launched from the compromised computers), the admin notices, investigates, talks to AOL, gets logs, and reports the exploit to a security firm.
In any case, the collective exposure is a good deal more than what w00w00 has restricted it to (the collective malicious-user traffic to their site and the mass media for a period of one day, if AOL is to be believed). They didn't do the self-righteous thing, they did the honest thing.
Ebarrassment, Blood, and Guilt (Score:3, Informative)
Information security tends to take a far back seat within the corporate world. Doesn't matter if it is management, administration, or development - infosec is a secondary thought if its even considered.
Part of this is the specialized knowledge required to handle infosec issues (not that it couldn't be widely aquired). It takes a concious effort to implement a secure system. This is often considered additional effort. And additional cost.
Another part of the puzzle is a general disbelief anyone could discover a vulnerability and would bother to take advantage of it. This discounts the number of technically minded individuals your infrastructure is exposed to on the net (compounded by automating attacks). It also ignores that even trivial applications can cause considerable damage (I have some friends working infosec for large corporations who went in to high gear with this announcement - AIM exists in many environments).
Finally, infosec is rarely a consumer requirement. Functionality is what sells widgets. Unless the widget is touted as being secure (even IF its supposed to be secure), security won't sell as many widgets if the widgets don't blink and beep nicely. Thus infosec isues are not pushed during initial development.
So now it gets bloody. Damage gets done. Consumers begin to see how these strange little issues cause them pain. They begin to demand better, more secure products. Product goals begin to include infosec. Better products get produced.
And those who would take advantage of vulnerabilities... quietly and to personal gain (or even loudly and publically) have fewer and fewer targets.
And its possible more attention will be paid to those who build faulty, and ultimately dangerous, data infrastructures. Maybe even legal liability.
Re:Why not wait a day? (Score:3, Funny)
Or maybe they just hate AOL like I do and want to make them squirm...
GTRacer
- No AOL on my IP-enabled PS2, THX!
Re:Why not wait a day? (Score:5, Insightful)
I am not an OSS zealot although I do dual-boot Mandrake.
I hate AOL because of their incredibly asinine advertising! "Everyone I know is on my Buddy List!" Maybe it's time for more friends! I used AOL 3, 4 and 5 at work and at home and despised the branding tricks and limitations on the Internet experience.
I also loathe the way it seems (my perception - may not reflect reality) they feel their users need a prepackaged community because they're simpletons who don't need a better, deeper Internet experience. Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.
GTRacer
- Equal-opportunity company basher!
why not (Score:2)
Why not? Don't you use any?
[*duck*]
hawk, who bought the last pair of quality microsoft products: word 5.1 and excel 4
Open your eyes... (Score:2, Interesting)
It's already like this. Just look at the government we have now: One which is more worried about banning abortion to produce more babies, instead of enforcing better (and cheaper) birth control. One which is more worried about protecting ourselves from ourselves (read: victimless crimes), instead of letting us learn from our mistakes (or letting evolution sort it out). One which is more worried about getting elected the next term and getting in the pockets of lobbists, instead of passing laws that the people really need.
Just look at our idiotic voters. They are the mediorce masses. They are the ones just smart enough to be useful, but not smart enough to see that they've been screwed. They are the proles [1984], and the future is NOT with them.
Re:Open your eyes... (Score:2)
Info on AIM protocol (Score:3, Informative)
Re:Info on AIM protocol (Score:4, Informative)
Re:Info on AIM protocol (Score:2)
not any machine (Score:5, Informative)
This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.
Most of the writeup bashes the DMCA (Score:5, Interesting)
From the NTBugtraq letter:
First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.
So do the work in a civilised country (Score:2, Informative)
Re:So do the work in a civilised country (Score:2, Funny)
How is this a violation of the DMCA? (Score:2)
It's a bad law, for sure, but making false claims about what it covers does NOT help our cause.
No! (Score:2)
People really need to get their facts straight about the law or we are going to be totally incoherent when we try to challenge it (or convince our friends and family that it is bad).
Re:Most of the writeup bashes the DMCA (Score:2)
Baseball teams belong to leagues.
Lawyers are legal professionals.
Re:Most of the writeup bashes the DMCA (Score:2)
It says it's illegal to reverse enginner a copyright protction mechanism.
This is clearly not that; to apply tthe DMCA as meaning 'you may not reverse engineer any software, ever' is grossly wrong.
Better Link (Score:3, Informative)
Hey, if you guys want open-source IM, check out http://www.jabber.org [jabber.org] The server is open-source and it's a distributed XML-based network. Lots of different, cool clients too. JabberIM for Windows, and Gabber for Linux are the most mature ones though. There are bridges to the AIM and ICQ networks available on some servers, but the ones on Jabber.org have been blocked by AOL... nice huh?
Re:Better Link (Score:5, Interesting)
For ICQ and AIM, you can probably find some lesser-used Jabber servers with the transports active, and not blocked. JabberView.com has a small list of other servers.
Me, I just use my Jabber.org account, but cross-link to transports on other servers that actually work.
Of course, you can run your own server and transports. Heck, you could even do it on your own box if you want to. Just run icq.localhost and aim.localhost along with jabberd localhost, but still use your user@jabber.org or whatever as your main Jabber account. It's easy to do.
Re:Better Link (Score:2)
It supports AIM, ICQ, Yahoo!, MSN, and IRC.
Re:Better Link (Score:2)
You wouldn't happen to know if it allows me to appear offline for different networks? If I go online to talk to a friend on Yahoo IM, I don't want somebody at work on MSN IM popping up a message and expecting a reply!
Re:Better Link (Score:2)
But yes, Trillian does support different online status for different networks
Re:Better Link (Score:2)
Ok, still here?
Yet another reason (Score:3, Troll)
Abstract Error (Score:5, Informative)
AIM will always be a problem (Score:3, Informative)
I recommend the majority of people I deal with use jabber (this is not some plug for jabber; it's just at the end of the day, it's more secure and yet accomplishes the same goal AIM etc etc have)
If you are using AIM, do yourself a favor a pickup a jabber client, you won't be sorry.
Re:AIM will always be a problem (Score:3, Insightful)
Once again, the problem is in the Windows client and not the protocol, and the protocol is openly documented. Get your facts straight next time.
Now they need a sound to go with their IM (Score:5, Funny)
One of Many Instant Messenger Exploits (MIME for short), I'm sure.
{if you are going to assinate a Mime, would you use a silencer?}
Bug in the implementation, not the protocol (Score:5, Informative)
The problem is in the implementation, not in the protocol. If it were in the protocol, that would make all clients at risk. As it is, only the official Windows client is vulnerable, because it implements game requests without checking for buffer overflow. I really don't understand why people still write code this way -- buffer overflows are so easy to prevent.
Somewhat (but only somewhat) offtopic: why on earth doesn't ./ at leas browse through the links they post? It's not like they don't have the manpower. If they'd even looked at the article, they'd have caught this...
"So easy to prevent" -- not in C (Score:2)
But I don't agree that it is easy to prevent when you're writing your software in C or C-like C++. In fact, I think C and the typical memory model practically encourages you to write exploitable software. Sure, it's easy to look at a stupid little program and say, yes, that has a buffer overflow problem. But large programs like IIS or even AOL AIM are an awful lot harder to analyze. (Take a look at the IIS overflow again if you think it's easy. This was due to the interaction between two totally different modules, both of which did bounds checking, but assumed that the buffer was large enough to hold twice the amount of data after unencoding. Indeed it was, but not if you unencode twice!)
If it is so easy to prevent, why do we continue to see loads of these kinds of bugs? You might argue that AOL programmers are stupid, and IIS programmers, and wu_ftpd, BIND, perl, quake 3 arena, sshd, (etc. etc.), but I think you'd be left with almost no programmers if you listed all the packages that have had buffer overflows in them. It is C's fault.
Personally, I think it's ridiculous that people still write software that's not at all performance-critical in C and C++. Technology exists (see O'Caml at http://caml.inria.fr/) for making really fast programs that are guaranteed not to have this kind of security hole in them. All that's really needed is toolkits for interfacing with system libraries... (for non-interactive stuff like network daemons there's absolutely no excuse to be using C).
It seems such an easy thing.... (Score:2)
Anyway, I like AIM, it's easy for a brain dead code jockey to use. I've got enough rattling around in my head without having to be 31137 at instant messenger applications.
Re:Converses and other logic games (Score:2)
Let me spell it out in straightforward logic symbols:
let "a" mean "vulnerability affects non-Windows versions"
let "b" mean "non-windows versions implement this game feature"
You take "not a because not b" (That is, "not b imples not a") and conclude "b implies (would imply) a". You have confused the converse with the contrapositive (the contrapositive would be "version xyz is vulnerable to this, therefore I know that version xyz implements the gaming feature").
Now, on to the question as to whether or not this vulnerability is in the protocol itself; this gets into a silly semantic debate that could go on and on with people yelling about definitions. As the AIM protocol has no canonical published spec. to define what it is, we can only assume that the AIM protocol is whatever the official AIM clients do when operating correctly. (For example, we shouldn't expect that the behavior of the AOL client while it is running under a debugger that randomly flips a few bits in memory every few seconds is an example of the AIM protocol)
So - is a buffer overflow the correct behavior? As much as I am inclined to think ill of the AOL/TW behemoth, I doubt that they intended their users' machines to be wide open to script kiddies everywhere.
It couldn't be... (Score:4, Funny)
AOL is deeply committed to your security. We use state-of-the-art technology to keep your personal information as secure as possible. We also have put in place privacy protection control systems designed to ensure that the personal data you share with AOL is safe and private. In addition, AOL keeps your password strictly confidential, and all authentication for the Service is performed on AOL's secure servers. Sites participating in the Service may not collect or store AOL password information.
From this site. [aol.com]
Re:It couldn't be... (Score:2)
Well, the are right. This is about data that is not shared rwxr----- but rwxrwxrwx :-)
Trillian (Score:5, Informative)
Re:Trillian (Score:3, Informative)
Re:Trillian (Score:2)
Re:Trillian (Score:5, Informative)
Daniel
Trillian WORKS under Wine! (Score:2)
I've recently started using trillian (www.trillian.cc [trillian.cc]) for all my IMing needs
Trillian is a Windows app, but it apparently works under Wine [codeweavers.com].
Re:Trillian (Score:3, Insightful)
Remember the old days of the internet? How you couldn't send an e-mail from Prodigy to AOL because they were separate networks? That's what we have here, but in IM form. The solution was not to build some all-in-one Compuserve-Prodigy-AOL-bloat app, but rather to just decide upon an open email protocol. Trillian is the all-in-one approach.
I recommend switching to Jabber. It will allow you to communicate with other IM services through serverside transport modules. Use transports as a transition, to communicate with people who have not yet switched to Jabber. The ultimate goal, however, should be to ditch the transports entirely.
Most importantly, Jabber is its own open and distributed IM system, so you will always be able to chat no matter what the "big 4" do. Isn't it comforting to know that?
If you don't care about promoting an open system, or don't see the problem with closed IM systems, then Trillian may be just the program for you. But remember it is not trying to solve the greater problem.
Re:Trillian (Score:2)
Re:Trillian (Score:4, Informative)
1) You have to connect to a Jabber server
2) You have to find a Jabber server that is running all of the message protocols you want/need
3) Most servers are run by regular people, and they're not always on when you want/need them.
4) Your buddy list is stored server side, so you can not easily move to another server. If your sever goes down you'll have to recreate your entire buddly list on a new server if you want access.
Trillian, on the other hand, connects to the chat providers native servers and uses XML as a translation mechanism on the client side. The chances of Yahoo's chat server, AOL's chat server, ICQ's servers, or MSN's chat servers going down is very very slim. I used to use Jabber but gave up in frustration when the server I used disappeared for over a week.
Re:Trillian (Score:2)
Trillian solves all of those problems.
Jabber is a nice idea, but it's implementation is lacking in a number of important areas.
Re:Trillian (Score:2)
Trillian is v.nice nowadays. If only it supported Jabber too - the windows Jabber client was kind of crappy last time I tried it.
Re:Trillian (Score:2, Informative)
encryption (Score:2)
Re:encryption (Score:2)
Re:Trillian (Score:2)
Msn messenger doesnt support socks5 correctly, but I was able to use trillian for msn thru socks. In fact every IM it has aol/icq/yahoo/msn and IRC works thru a socks server now.
Gaim and TOC (Score:5, Informative)
well, here's yet another reason to be using TOC (as opposed to Oscar, the newer of the two AIM protocols.) TOC is/was an open protocol, and i've had very little problem with it. admittedly, it doesn't have all the "features" that Oscar has, but if all you want is chat, and you don't care a whole lot about file transfers, et al. TOC is more than sufficient. plus, unlike Oscar, AOL doesn't seem to arbitrarily change the protocol. And it seems to be more stable, server-side. I've had countless instances of hearing the dispaired cries of "AIM is down" from throughout my dorm without having a problem. TOC goes down occasionally, but not nearly as much, from my experience.
as for clients, i recommend Gaim for Linux. You can select the TOC protocol in the Account Editor window.
<asbestos>yes, i know there's a million things that Oscar can do that TOC can't. but I don't care. TOC just works better from my experience, especially when clients have to release new versions to work around AOL changing the Oscar protocol slightly in order to screw over MS.</asbestos>
Re:Gaim and TOC (Score:2)
true, few people use TOC. but there are those of us who still use it.
as for licq... yes, the newer versions of icq use Oscar, but the older ones weren't TOC. They were the ICQ protocol, which was horrible. virtually all the security in the protocol depended on client-side implementation. thus, wich unofficial clients, you can spoof UINs, see people's ip addresses when they have the 'hide ip' option checked, etc. But even with newer versions, we still have the problem of Oscar being a proprietary protocol. ...But then again, i'm not sure if the original protocol was published or reverse engineered. But at least they never made arbitrary changes in the protocol to stop "unauthorized access."
Wow... (Score:2)
Heh... first hack... (Score:4, Funny)
"You've got nailed"
Best PR Spin (Score:5, Interesting)
From the Washington Post Story [washingtonpost.com]
A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.
An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.
Great idea! Why make the user download and test a patch? We can just use this hole that gives us full control of a vitim's computer...
w00w00? (Score:4, Funny)
Oh, so the 1337 are going the non-profit route? Nice to see that they are going somewhat legit here, but are we going to see mass-defacement support drives once a month looking for donations, a la PBS? Are they going to only release their best exploits during these fund drives? And how much do I have to donate to get reach the benefactor level where I get the "Bill Gates unrestricted Amex card" number as a gift of thanks?
More importantly, did Microsoft "give generously" during the "Here's how to hack AIM" episode of "Sesame Street"?
"Today's Sesame Street was brought to you by the letters M, S, N, and the number 1."
Only AIM versions > 4.7.2480 (Score:2, Informative)
Re:Only AIM versions 4.7.2480 (Score:2)
D'oh.
Re:Only AIM versions 4.7.2480 (Score:2)
Re:Only AIM versions 4.7.2480 (Score:2)
-Legion
Check out this quote... (Score:5, Interesting)
Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."
Hmm. Anyone else sense a little hostility from the for-profit [trusecure.com] security industry...?
Might Try Odigo (Score:2)
http://www.odigo.com
Side note I am in NO WAY affiliated with them. I just happen to like their product.
i've an idea! (Score:2, Insightful)
exploit this hole from the main server on all clients, and make them automatically update to the latest version! No users have to download patches this way.
Trillian not affected (Score:2)
I will venture, rather safely, to say that Trillian is not affected by this exploit. The exploit is in the 'game request' feature in the AIM client for windows, a feature that has not yet been included in Trillian in the first place, and a feature that would obviously use different, hopefully better-bounds-checked code if it were there (since trillian uses its own libraries to do everything, no reliance on AIM).
Watch out for incoming Script Kiddie onslaught (Score:2)
Fire for Mac OS X is great (Score:2)
http://www.epicware.com/fire.html
works great, and handles AIM, ICQ, Jabber, irc, MSN, and Yahoo.
from the "About Fire" dialogue
Engineering
Eric Peyton
Interface Design
Borrowed from America Online with flourishes courtesy Eric Peyton. Some ICQ ideas taken from various ICQ clones
Icons
Rick Roe, Blake Harris
Fire Enhancements
The following people have made enhancements to Fire
Jason Fosback (jfosback@ubermind.com)
Brian Fitzpatrick (fitz@red-bean.com)
(way too many to list
Underlying Engine (libfaim)
Copyright 1998-1999 Adam Fritzler (afritz@iname.com)
Underlying Engine (icqlib)
http://kicq.sourceforge.net/kicq.shtml
Underlying Engine (libyahoo)
http://www.sourceforge.net/projects/gtkyahoo
Underlying Engine (msn library)
http://www.everybuddy.com
Underlying Engine (firetalk/irc)
http://www.penguinhosting.net/~ian/firetalk/
HTML (AIML) Rendering/Reading Engine
Copyright 1999 Stephen Peters (portnoy@portnoy.org)
Fire.app Written in Objective-C against the Cocoa API's using the underlying libfaim Unix/Linux library written in C, the icqlib source code written in C, and the gtkyahoo source code written in C and C++. I am using the firetalk library in C for irc communication and the msn library was borrowed from everybuddy.
Fire.app is released under the FSF GPL, as are libfaim, micq, and gtkyahoo. If you did not receive source with this version please contact Eric Peyton (epeyton@epicware.com) for the source, or visit http://www.epicware.com/fire.html.
Other AIM clients (Score:2)
Don't call it a security flaw (Score:2)
Call them a "window."
As in, "A window was discovered today into AOL instant messanger."
Re:Ouch... (Score:3, Redundant)
"this does not affect the non-Windows versions"
Re:Ouch... (Score:3, Flamebait)
Re:Ouch... (Score:2)
AOL Instant Messenger (AIM) has a major security vulnerability in the
latest stable (4.7.2480) and beta (4.8.2616) Windows versions.
It's a buffer overflow, so the
Re:Ouch... (Score:2, Offtopic)
I don't have time to read everything, just posting my thoughts. Oh well, as if karma matters
Don't shoot the messenger, man (Score:2, Redundant)
It is very irresponsible of the original writer to post an explicit method to exploit the crack, however. At least there's one redeeming feature: the article also tells readers how to protect themselves from the crack by altering their preferences, and also that AOL is fixing the problem server-side.
The crack was/is already out there, for people who enjoy using that sort of thing. Don't blame this site for pointing people to it just because Slashdot has a higher readership.
retard... (Score:2)
- A.P.
Re:Ok... (Score:3, Insightful)
Re:Warnings (Score:4, Funny)
Ok so I used it once to send two of my coworkers homo "I like to watch your ass" emails from each other...
Re:Warnings (Score:2, Interesting)
Actually though I think the earliest ICQ implimentations performed the password authentication locally, which is why the 8 character limit on passwords exists in icq.
A 9 character password response meant the authentication was done by the client.
Re:Server-side fix? (Score:2)
Until they do fix it, you can either use AIM Filter or change your preferences so that only people on your buddy list can contact you. Neither is 100% foolproof, but definitely better than nothing.
Re:Lesser of two evils. (Score:2)
Re:Code Red. (Score:2)
Re:Irresponsible! (Score:3, Informative)
We contacted the AOL Instant Messenger group but never received a
response. Normally we would be inclined to provide a fix, but it is
illegal to reverse engineer the AIM executable (DMCA and AIM's license
agreement to thank), so we are unable to provide a patch which will
modify it. Instead, we recommend Robbie Saunder's AIM Filter
(http://www.ssnbc.com/wiz/) to protect yourselves.
Please get the full story before you post shit.