PSA: AOL instant messenger has a vulnerability

[bogz]

Another closed source piece of software has a problem that lets remote users take control of your machine. This was announced a while ago but AOL said they fixed the problem. They did not.

http://blogs.zdnet.com/security/?p=542

There’s a nasty worm hole in America Online’s standalone AIM (instant messaging) software that won’t be patched until the middle of October.

AOL claims that the vulnerability, which allows a remote attacker to launch executable code without any user action, has been patched in the latest beta client but, as I’ve confirmed in a test with security researcher Aviv Raff (see screenshot below), fully patched versions of the beta is still wide open to a nasty worm attack.

Production copies of the software, which sits on tens of millions of desktops around the world, are also unpatched.

In the demonstration, Raff simply sent me an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages.

This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control.

If AIM was open source, people could have submitted a patch right away, FOR FREE out of the goodness of their hearts.


The open source alternative I use is called "Pidgin" http://pidgin.im/

It supports AIM, Gadu-Gadu, GoogleTalk, Groupwise, ICQ, IRC, MSN, QQ, SIMPLE, XMPP, Yahoo & Zephyr all from the same application.

Pidgin was formally called Gaim but they had to change their name because due to a legal settlement, AOL was dictating when they could release SECURITY UPDATES believe it or not....

 

[ruthless]

thanks bogz, i appreciate the info.

 

[titorite]

...And what does this have to do with time travel disscussion? I mean its a nice enough gesture and all but I am positive I would not have been premited to make it...Still it does bring up a point of maybe createing a general board.

Oh well, Back to time travel topics for me.

 

[bogz]

whatever

 

[Pro7]

AOL AIM software will always have holes in it. It is because of the base operating parameters that loads up when you 'open' AOL AIM.

I dont use AOL AIM .. it sucks when someone got your user ID and password by stealing your AIM "cookies". The only way to patch it, is to rebuild the base operating parameter codes, believe it, its the only way. (They cant really patch it..they can try with "preventive measures" but it will never be fully patched.)

/ttiforum/images/graemlins/smile.gif