Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Despite AOL's Claim, AIM Worm Hole Still Wide Open

Zonk posted about 7 years ago | from the perhaps-they-should-fix-that dept.

Security 75

Clown of the month writes "There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October. This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control. AOL coordinated with Core on the release of an advisory, on the understanding that the flaw was patched in the latest beta version. As security researcher Aviv Raff discovered, the underlying vulnerability was never fixed. In the demonstration, Raff simply sent an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages."

Sorry! There are no comments related to the filter you selected.

just use pidgin! (3, Interesting)

mwilliamson (672411) | about 7 years ago | (#20774571)

Here's a perfect example of where an open-source solution beats the pants off a commercial one.

Re:just use pidgin! (4, Insightful)

Sarten-X (1102295) | about 7 years ago | (#20774605)

Indeed. I've been using pidgin/GAIM for 3 years, and recommend it to everyone whose computer I've had to remove viruses from. There's really little reason to use AOL or MSN's client.

Re:just use pidgin! (0)

Anonymous Coward | about 7 years ago | (#20775917)

Yeah, who needs direct connect to work properly. Or a file transfer to be able to make it through a NAT router.

Forget installing software...just Meebo (4, Interesting)

fsckr (965056) | about 7 years ago | (#20777501)

I've been using meebo.com for about a year and up until a couple of weeks ago, the only failing was that it didn't have file transfer capabilities. Now that they fixed that, the site is about as good as an IM client can get + no need to install software (and it even works on iphone etc...)

Oh yeah, and there's no need to remember multiple account password

Re:just use pidgin! (1)

centinall (868713) | about 7 years ago | (#20774607)

I don't think that Pidgin can render HTML, or least do it yet. Although why you would really want to do this is lost to me.

Re:just use pidgin! (1)

BosstonesOwn (794949) | about 7 years ago | (#20774851)

So it can render the emoticons every one seems to love. Or if your like me hate with a passion.

I think it also transports the text and such in XML which is why it uses the rendering engine.

Re:just use pidgin! (0)

Anonymous Coward | about 7 years ago | (#20775081)

> So it can render the emoticons every one seems to love. Or if your like me hate with a passion.

   :)  :)  :)  :)  :)  :)
:) BosstonesOwn (794949)  :)
   ..  ..  ..  ..  ..  ..
   \/  \/  \/  \/  \/  \/

Re:just use pidgin! (1)

p0tat03 (985078) | about 7 years ago | (#20774703)

Agreed. Although the lack of offline messaging in MSN is annoying, pidgin does everything I want MSN to do, with none of the things that the official client does that I hate.

For Mac Users: (3, Informative)

cromar (1103585) | about 7 years ago | (#20774807)

Adium [adiumx.com] is a sweet, multi-service, OSS IM client.

Re:For Mac Users: (1)

cthulhu11 (842924) | about 7 years ago | (#20784867)

Sweet modulo the long-standing inability to transfer files. Attempts to send them almost always fail; having someone send one to me when I'm running Adium is a sure-fire way to have it crash within 5 minutes. Yes, I reported it long ago.

Re:just use pidgin! (4, Insightful)

Cal Paterson (881180) | about 7 years ago | (#20774937)

Here's a perfect example of where an open-source solution beats the pants off a commercial one.
This statement, while true, doesn't say a lot. Pidgin does have a lot of shortcomings (though it's all I use).

Re:just use pidgin! (1)

QuietObserver (1029226) | about 7 years ago | (#20779137)

Personally, I use an IM to chat with friends; it works perfectly fine for that, so I don't really care what shortcomings Pidgin has. My only weakness is I haven't worked out how to get it installed on my computer (Ubuntu 64 bit), yet.

Re:just use pidgin! (1)

QuietObserver (1029226) | about 7 years ago | (#20779143)

One thing I failed to point out, though; I haven't really been trying too hard.

Re:just use pidgin! (1)

dlgeek (1065796) | about 7 years ago | (#20782565)

Gutsy: as root: apt-get install pidgin Dapper/Edgy/Feisty still have an older version from before the name changed: as root: apt-get install gaim There, you're done.

Re:just use pidgin! (0)

Anonymous Coward | about 7 years ago | (#20781423)

How did this get modded +5 Insightful?

This statement, while true, doesn't say a lot.
Ironically, neither does yours.

Pidgin does have a lot of shortcomings (though it's all I use).
If it has shortcomings, please do share with the rest of us.

Re:just use pidgin! (1)

Cal Paterson (881180) | about 7 years ago | (#20794979)

Ironically, neither does yours.
Succinctness is not the same as not saying anything. The fact that I didn't spell everything out like a moron does not mean that I did not make any points.

Re:just use pidgin! (1)

kryptkpr (180196) | about 7 years ago | (#20775023)

My problem with Pidgin is with the rather plain way it looks. Kopete [kde.org] has a killer theming engine and many themes which are far more polished (imho) then Pidgin.

Re:just use pidgin! (1)

fireboy1919 (257783) | about 7 years ago | (#20775417)

I like my logging. I have a complete history of everything that anyone has ever said to me available in the log, and I can always pick up where I left off.

Pidgin has *almost* replaced e-mail for me.

Re:just use pidgin! (1)

Dunbal (464142) | about 7 years ago | (#20778383)

Here's yet another perfect example of where an open-source solution beats the pants off a commercial one.

There, fixed it for you.

Re:just use pidgin! (0)

Anonymous Coward | about 7 years ago | (#20786931)

Which of the open source solutions include voice and video chat?

wormhole? (4, Funny)

FlashBuster3000 (319616) | about 7 years ago | (#20774577)

Let me welcome our new Dominion Overlords!

People still use AOL-supplied AIM client? (3, Interesting)

necro2607 (771790) | about 7 years ago | (#20774617)

Err, people actually still use the AIM client supplied by AOL? Almost everyone I know is using a 3rd-party multi-protocol app like Trillian or Gaim (on Windows) or Adium or iChat on OS X. I'd be totally surprised to see someone actually running the [IMO] horrible client made by AOL.

Re:People still use AOL-supplied AIM client? (1, Interesting)

Anonymous Coward | about 7 years ago | (#20774787)

Know any normal people ? In other words people not in IT nor techinically inclined ? Unfortunately I see this crap stil used on tons of clients PC's ranging from secretaries to the head partners in various firms -

Re:People still use AOL-supplied AIM client? (2, Informative)

Kazrath (822492) | about 7 years ago | (#20775119)

Plenty of reasons to name one major one.

Many major financial & trading firms use IM clients of all breeds to interact with customers/clients/associates on a daily basis. These communications need to have specific rules enforced against and all communications recorded for them to be compliant. Many of the third party IM clients do not intergrate correctly with software that performs the management/proxying of IM traffic within an enterprise environment or could allow access on protocols that are restricted.

Re:People still use AOL-supplied AIM client? (2, Insightful)

dunezone (899268) | about 7 years ago | (#20775633)

Why not? The majority of individuals who grew up during the 90s grew up using AOL. Were accustomed to AIM and its user interface. Why do you think they still offer the old 5.9 version? And the open-source solution doesnt help them either. These people dont want change and they dont want to learn anything new. This is why people still use Windows.

Re:People still use AOL-supplied AIM client? (2, Insightful)

Dunbal (464142) | about 7 years ago | (#20778367)

I cut my teeth on CompuServe and closed my accounts when they merged with AOL. AOL sucked back then, and it still sucks now. Only reason they ever became popular is because at least half the population of (insert country here) is ignorant.

Re:People still use AOL-supplied AIM client? (1)

a-zarkon! (1030790) | about 7 years ago | (#20776111)

Yeah, I'll go on record and agree with the AC - there are PLENTY of people out there who have no idea what GAIM/Trillian/etc. even are. They aren't technical; they are less likely to patch or maintain AV, they are more likely to have a boatload of spyware clogging their IE browser. The unwashed masses. They include your neighbor, your doctor, and your garbageman. They are legion.

Re:People still use AOL-supplied AIM client? (1)

j00r0m4nc3r (959816) | about 7 years ago | (#20781043)

Almost everyone I know is using a 3rd-party multi-protocol app like Trillian or Gaim

Do you know any soccer moms from rural Nebraska?

Things like this... (1)

Pojut (1027544) | about 7 years ago | (#20774621)

...combined with excessive bloat are why I use Trillian.

Re:Things like this... (1)

BosstonesOwn (794949) | about 7 years ago | (#20774929)

From May http://crave.cnet.com/8301-1_105-9722313-1.html [cnet.com] , but it shows that no IM client is secure , less bloated yes and patched faster yes , but not secure from some one willing and wanting to do harm.

IMHO any open source IM client is inherently better. It's patched faster 90 % of the time.

What's worse? Bloat, or cpu usage? (1)

znerk (1162519) | about 7 years ago | (#20783029)

I used to think Trillian was the be-all end-all... a single client that accesses half a dozen networks. Beautiful, right? Sure, until you realize that Trill cheerfully eats up to 80% cpu on a system when it's actively doing something; and the wiki interface, while very cool, breaks within a few weeks of "normal" usage. Hmm. Now that I think of it, those two items may be related.

AIM?? (1)

jcicora (949398) | about 7 years ago | (#20774623)

I didn't realize people still used AIM. I thought everyone "cool" had moved on to MyFaceSpaceBook

Re:AIM?? (3, Funny)

Ajehals (947354) | about 7 years ago | (#20774965)

Is that a web 3.0 site or is it web 95?

Just kick the big one, go gaim. (1, Insightful)

TehSpida (1154493) | about 7 years ago | (#20774635)

Uhhh, as far as I'm concerned if you still use AIM you deserve what you get, the only reason AOL itself is still around is because of our poor grandparents who don't know any better. I say "Boo on you" aol for taking advantage of our elderly community that doesn't know any better by forcing them to install additional programs such as "ViewPoint Media Player" if they want AIM. Its crap that you make Customers of your's download additional adware to help support your continued existence, just roll over and call it quits. Time Warner is the only way you have left. Period.

Re:Just kick the big one, go gaim. (0)

Anonymous Coward | about 7 years ago | (#20774803)

People don't deserve misfortune simply because they are ignorant. That's like saying it's _your_ fault when the mechanic tells you it will cost $1000 to repair a $100 problem on your car, or that kids working in a sweatshop deserve to be paid $1 per day simply because they don't know they are sewing sweaters that retail for $250 in NYC.

Re:Just kick the big one, go gaim. (1)

buzzy452 (1161505) | about 7 years ago | (#20775073)

I agree with the above comment -- our "poor old grandparents" are people too! And, though they may be difficult to find, I'm sure there are plenty of people who still use the AIM client just because they honestly like it better. (Perish the thought.) AOL is showing a huge lack of propriety.

It's not GAIM anymore. (1)

Alaria Phrozen (975601) | about 7 years ago | (#20775751)

It's called Pidgin now, you r-tard.

Why AOL exists (1)

SoapBox17 (1020345) | about 7 years ago | (#20777491)

AOL is a much bigger company than just the online service. For example, they own advertizing.com... Which I'm sure makes them a lot of money.

Worms (2, Funny)

Corpuscavernosa (996139) | about 7 years ago | (#20774643)

Could AOL and Core's warning be described as "Wormsign"?

Are you mad? (4, Funny)

pushing-robot (1037830) | about 7 years ago | (#20774657)

AOL creates a stable worm hole and you /. types want to close it? Bastards!

Re:Are you mad? (1)

RockoTDF (1042780) | about 7 years ago | (#20774801)

Only AOL could make something so bloated and overdone that it collapses under....oh wait thats a black hole. Where is Mr. Hawking when we need him?

Re:Are you mad? (1)

Alwin Henseler (640539) | about 7 years ago | (#20774883)

AOL creates a stable worm hole and you /. types want to close it? Bastards!

You haven't seen what's on the other side, have you? Besides, this isn't one worm hole but many, spread all over the f**king place.

Re:Are you mad? (2, Funny)

Chris Mattern (191822) | about 7 years ago | (#20775679)

AOL creates a stable worm hole and you /. types want to close it? Bastards!


The Prophets will hear of this!

Chris Mattern

Hehehehe... (0, Troll)

halcyon1234 (834388) | about 7 years ago | (#20774793)

Gaping A HOLE.

I'll let some other troll post the goatse link.

IM risk to use (1)

rk075245 (1160915) | about 7 years ago | (#20778649)

The widespread use of instant messaging (IM) continues to increase the security risks for both organizations and individual users. While instant messaging can be a very useful communication tool, it is also subject to many security concerns. Recent attacks include new variations in the establishment and spread of botnets, and the use of compromised instant messaging accounts to lure users into revealing sensitive information. Variants of e-mail worms (such as the Mytob family) have also been spread through the use of instant messaging. The general risk areas related to instant messaging are:

Malware -- Worms, viruses, and Trojans transferred through the use of instant messaging. Many bots are controlled via IRC channels.

Information confidentiality -- Information transferred via instant messaging can be subject to disclosure along any part of the process.

Network -- Denial of service attacks; excessive network capacity utilization, even through legitimate use.

Application vulnerabilities -- Instant messaging applications contain vulnerabilities that can be exploited to compromise affected systems.

Linux version of exploit (0)

Anonymous Coward | about 7 years ago | (#20774825)

me: yada yada boobies!
nob: waffle waffle
me: boobies boobies!
nob: <exploit>Please click calculator icon</exploit>
me: no

FOILED!

Re:Linux version of exploit (0, Offtopic)

CollegeKid092588 (1163239) | about 7 years ago | (#20774951)

you no idea what you're talking about- sometimes it's extremely hard to resist boobies

Re:Linux version of exploit (1)

Ajehals (947354) | about 7 years ago | (#20775001)

Whilst reading your post I got the urge to launch xcalc, so I would have to say that Debian Stable *is* vulnerable.....

This is how the end of software giants begins (3, Interesting)

zappepcs (820751) | about 7 years ago | (#20774835)

Their death is slow, torturous, tortuous, and painful to experience with them, but when they refuse to change with the times, and provide secure computing experience, customer's move on to something else. A word of warning for FOSS developers here.

Today we see people suggesting strongly that users abandon MS's new OS for many reasons. This is the arguably dominant desktop OS across the globe, and they are losing face for nothing more than treating users and customers like idiots.

It won't take long before no one will use AIM, and that problem will go away. Sure, it will still be around on someone's machine somewhere, but that user will die of stupidity soon anyway.

I may sound sarcastic, but I'm not, this is how the end begins. Making stupid mistakes, letting end users suffer, and generally thinking that not creating superior products is necessary. I personally choose to suffer bad driver support or other shortcomings than allow the OS manufacturer spy on my computer use, or worse report it back to someone else.

Google dances around this line quite a lot, but seems to still respect the user, and their privacy. I am seriously hoping that this issue becomes a US Presidential election issue. Privacy, security, and consumer rights where software is concerned. The MS stealth update is nothing more than malware. Commercial companies found guilty of DDoS and other sabotage efforts should be fined, and corporate officers imprisoned.

Yes, I could make the hardware on my desk secure by unplugging the network cable, but I can also make my car safe from accidents if I leave it in the garage. Neither is a suitable answer. Common sense should be applied to this, if your vehicle suddenly stopped getting > 25mpg because you filled the tank with brand X gasoline it would be a case for federal investigations. My computers cost as much as my car, I spend a great deal of money each month on or via my network connection using those computers. It is time that personal liberties and security were treated the same whether it is in regard to computing, or any other activity.

voting with your feet will eventually kill off the AIM client, but it should a case for a fine, if not more that the hole was left open negligently.

Re:This is how the end of software giants begins (2, Insightful)

BosstonesOwn (794949) | about 7 years ago | (#20775025)

May I suggest you sell off that Yugo and 386 and move up to a Toyota corolla and Athlon 64 ?

You won't see any of that happen until it hits home for a couple of the high ups in government, if their data gets stolen big deal its tax payers who foot the bill , but if some one steals their identity and ruins their life for a couple months maybe something will change.

then dont use AIM (1)

g8rboy (1163247) | about 7 years ago | (#20774915)

Then another reason to use proxy servers with your Trillian or GAIM accounts.

Re:then dont use AIM (1)

deftcoder (1090261) | about 7 years ago | (#20777703)

What the hell is a proxy server going to do besides just add more latency to your AIM session? (and potentially spy on it)

Re:then dont use AIM (1)

rk075245 (1160915) | about 7 years ago | (#20778717)

Proxy appliances control Web access!!!!

AIM, I miss you! (1, Funny)

Anonymous Coward | about 7 years ago | (#20774927)

I had to uninstall AIM after my wife cought me cybering with a Russian chick...

Re:AIM, I miss you! (0)

Anonymous Coward | about 7 years ago | (#20775237)

Surely you've heard about the Russian "chicks" on AIM by now?

3rd party dependance (1)

KevMar (471257) | about 7 years ago | (#20774955)

I didnt read the details, but i would almost bet that they are using an IE control and dont imediatly know a way to fix the problem. So they are going to try and catch the exploit instead leaving them open to future creative attacks.

I also think the use of the ie control will be the root of many more issues that have yet to be uncovered. If they could run that control in a restricted security setting, it would go along way. If its just for display only, strip it of all security and go on.

If you just treat the entire control as hostile (it is IE isnt it), then it cant suprise you with something new and undocumented.

Im sure its issues like this that introduced IE's use of zones. Not that it handles it any better, but I can see the idea behind it.

Re:3rd party dependance (1)

BosstonesOwn (794949) | about 7 years ago | (#20775085)

This brings to mind 1 question. Can we sandbox an IM client ? Maybe anything related to IE should no be sandboxed. Something has to be done to try and stem the worms that seem to just keep coming from IE based exploits.

Re:3rd party dependance (1)

TheRealMindChild (743925) | about 7 years ago | (#20775739)

Thinstall [thinstall.com]

Re:3rd party dependance (1)

KevMar (471257) | about 7 years ago | (#20776435)

We do love to pick on IE, but the issue is more that that component has such a high target area and runs on so many computers. But the truth of it is any component could be just as bad. It easily could have been any other rendering engine that was used and one of there exploits could have been used. Firefox isnt bullet proof either.

Using these as components only compounds the issue. its highly likely that the component wont be the newset version with the newest patches. so one could look at curent fixes and know what the older ones have problems with. What if its a component that does not have auto update and the user never uses the main product. We all know the problems with ie 5 or say firefox 1.0.

What to do now... (3, Funny)

zdude255 (1013257) | about 7 years ago | (#20775139)

So, what's the windows equivalent of rm -rf /

Re:What to do now... (1, Informative)

Anonymous Coward | about 7 years ago | (#20775249)

deltree /Y C:\

Re:What to do now... (2, Informative)

Anonymous Coward | about 7 years ago | (#20775635)

For anything up to NT. For XP and higher, it'd be rmdir /S /Q C:

Re:What to do now... (5, Funny)

mcpkaaos (449561) | about 7 years ago | (#20775957)

So, what's the windows equivalent of rm -rf /

Visual SourceSafe.

Re:What to do now... (1)

Shados (741919) | about 7 years ago | (#20776209)

I almost fell down my chair reading that one. Funny +6. Mostly because its true.

OMG, mod this up! (0)

Anonymous Coward | about 7 years ago | (#20776369)

As someone who uses SourceSafe for years, I just about peed myself after reading this.

Re:What to do now... (1)

clustersnarf (236) | about 7 years ago | (#20777327)

deltree /Y c:\

Re:What to do now... (1)

Azuma Hazuki (955769) | about 7 years ago | (#20778119)

I believe it was format C:

Might want to have a Linux LiveCD handy...you needed it before that command, but you'll *definitely* need it afterwards.

Re:What to do now... (1)

NightOath (1163211) | about 7 years ago | (#20780113)

i believe its: `deltree /y C:\` though gparted livecd may be a better idea...

ZOMG! (1)

Cervantes (612861) | about 7 years ago | (#20776933)

Oh my $deity.... this is amazing! Unfathomable! Shocking and awe-inspiring!

AOL and AIM are still around???

Re:ZOMG! (1)

Phroggy (441) | about 7 years ago | (#20777707)

There's no good reason to use AOL, but AIM is an entirely different service, which continues to work just fine. Of course, many of us connect to it using a third-party client, but the official AIM client is the most reliable when it comes to things like file transfers and extra features, so some people use that, because it works.

There are only three major IM networks that are used by a large enough number of normal people to make them worth bothering with: AIM, MSN Messenger, and Yahoo Messenger. A handful of geeks use Jabber. Everyone else has moved to web-based services like MySpace and Facebook to communicate (which only sounds painful to those of us who know the difference between e-mail and webmail).

Aim will me moving to to ICQ soon. (1)

johnsie (1158363) | about 7 years ago | (#20780153)

Aol recently announced that they will be moving the all their IM development over to ICQ Israel. Hopefully they will do a better job with the IM than aol were doing. Aol has never been a good IM. I dont know what people here think of ICQ, but back in the day ICQ was the best IM until the big corps like aol, yahoo and msn jumped in. Eventually ICQ turned a bit bloated and that's when I stopped using it. I hope ICQ make some big changes to the aol messenger.

Old versions NOT impacted. Stick with 3.x or 4.x (0)

Anonymous Coward | about 7 years ago | (#20780539)

This is precisely why I have stayed with the older versions that came with Netscape Communicator. Simply put, they're not vulnerable, as they do not rely on the existence of Internet Explorer in any way. There has never been any compelling reason to use any version of AIM > 4.3.

Well, I always thougt AOL was a black hole (1)

Mercano (826132) | about 7 years ago | (#20783969)

I mean, unless they're near a black hole or are pumping an insane amount of power into it, the wormhole should have taken care of itself and collapsed in 38 minutes. In other news, a new season of Stargate, sans SG-1, starts tonight.

What versions? (0)

Anonymous Coward | about 7 years ago | (#20784729)

What versions have this hole?

I'm using version 5.1.3036 from oldversion.com. It's the last version that doesn't start playing video/audio at random times.

what else can be do??? (1)

aman534 (1160905) | about 7 years ago | (#20809945)

hurm, it looks like they have to wait until the middle of October. Meanwhile, they can switch to meebo or pidig if they want to :P
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?