AOL IM 'Away' Message Security Hole Found

thedude13 writes " Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."

Major erratum in article

Unfortunately, the article this story links to has a rather large mistake. It states:

However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.

This is completely and totally wrong.

Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:

• Redirect response codes
  
• Meta redirect tags
  
• Frames
  
• iframes
  
• Javascript popups

Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.

The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here [idefense.com].

Re:Major erratum in article

And, ahem, how do you get to that launch page in the first place? magic?

Its not as if anyone can just post a meta-refresh onto the front page of google. A page/server would have to host that javascript/iframe/redirect/etc and you would have to convince someone to visit that in the first place.

Sure, you can use social engineering to get people to visit mysite.com/hack.htm or whatever, but thats exactly what the article is saying - you need to manually visit a malicious page in the first place.

Re:Major erratum in article

Right, because no one who uses AOL Instant Messenger ever visits websites without trying.

Seriously, a combo exploit that affected webservers and AIM would net not only thousands of servers but thousands upon thousands of PCs. Individual PCs with no services are difficult to infect by worm with even the most minimal security settings, this would tank thousands of PCs because people are so naive when it comes to the 'net. AIM has always been "safe", they don't want to listen to how it might be "dangerous".

Of course, AOL can push out an update to the client tomorrow, and as long as the next version has more flashing lights, people will download it right away.

Re:Major erratum in article

Except it appears no one checked this fix out completely. So long as your account has privileges to that area the registry (which many do). AIM re-creates the key the next time you restart it. I've also tried breaking the key and AIM corrects this also.

Basically unless you run as a regular "User" or other restricted account in Windows, the AIM fix is only good for one session of AIM.

Victor

A reason to sit at the computer?

Whatever you do, don't leave the computer. Oh, nice reason to sit more at the computer. :)

gaim Bug

Wasnt a exploitable bug just found in gaim ? Or to be accurate in the "festival" plugin... See: http://seclists.org/lists/bugtraq/2003/Oct/0205.ht ml

Re:gaim Bug

October of 2003 wasn't "just found" not to mention you have to install a plugin that doesn't come with gaim by default. We're talking default configuration on windows compared to a nonstandard configuration on some OS. Apples and oranges.

more buffer over flows

When are we going to learn to incorporate bounds checking in to everything ? We have the CPU cyclces.

Re:more buffer over flows

I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.

Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.

For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.

It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.

a more secure approach

I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.

Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.

The more secure approach is not stripping out possibly dangerous input - it is only permitting the minimum necessary. It's not always possible, but it should be applied where possible.

So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).

Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters :-(

Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.

Just as well there is no strict liability for software bugs!

Re:more buffer over flows

I wonder if my newly acquired NX protection (just installed XP SP2) will protect me from this. I use Trillian Pro anyway but if anybody has a link, I'd like to see.

Re:more buffer over flows

When everyone uses Java or OCAML rather than C(++).

Obvious solution.

This vulnerability only affects those rare few that actually leave their computers and do things in the "real" world.

Those rebels deserve whatever they get.

so auto-away becomes

away for good?

But....

Do many people put links in away messages anyway? Wouldn't people think it was strange that there is a link to something they've never heard about in an away message? I've never used AOL, so can someone tell me if you can use a text link, or is it only a URL?

Needs user assistance

There is not going to be an auto-spreading worm based on this hole. From the article: "AIM users would have to click on the URL to trigger the vulnerability..."

AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.

So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.

GAIM? Fire too

For Mac users there is Fire [sourceforge.net] which since going 1.0 is quite nice and polished.

worm/virus?

However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.

The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.

This probably would cause some harm but not as much as a worm/virus that would automatically send the malicious URL to all users that are away on your list.

I know that most of my less knowledgeable friends that use AOL would instantly click a URL from someone on their buddy list. I am not so sure they would do it from a random IM.

Re:worm/virus?

Would't you have to be a "less knowledgeable" user to use AOL in the first place?

Don't forget about Trillian for Windoze users

http://www.trillian.cc

Think Gaim but pretty!

Jabber & Google

I just hope that Google launch a Jabber based IM system; it will be a major boost to the adoption of Jabber's servers as an open standard.
It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.

Bye!

Y R U Here?

IDefense discovered the vulnerability and informed AOL about it on July 12, the company said. The company released an advisory on it Monday only after computer security intelligence company Secunia Inc., of Copenhagen published an advisory warning of the hole, citing information provided by two security researchers who also had discovered the hole.

If this review is something AOL comissioned, good for them. It would be nice, however, if they had an internal QA department that could find these design (actually coding) flaws.

On the other hand, if these companies were not hired for security reviews, will this sort of 'discovery' (paranoia here:) cause a DMCA backlash?

I use Gaim because it's the best in Linux

But I wouldn't tells Windows users to jump right away to Gaim. It is still in beta and has a slew of bugs. Telling Windows users who have no idea what Open Source Software is that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.

Gaim works

that they should use bug-ridden software is the wrong way to get them to like it. Gaim is only in version 0.81. Wait till it hits 1.0 before telling people to use it.

{thongue in cheek mode:ON}
Apparently you have no idea what Open Source Software is either
{/thongue in cheek mode:OFF}

More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".

Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too.
The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc ...)

This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"

Re:I use Gaim because it's the best in Linux

I've been using GAIM on XP at work for 4 months now. It has had a total of one problem, when Yahoo changed protocols to screw third party IM clients. Downloaded the new version of GAIM less than 24 hours later and it worked fine.

I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.

GAIM? Trillian?

Miranda [miranda-im.org]. Choice is good. :)

or... for win32bies...

They can use Trillian, too. [trillian.cc]

My God!

Fortunately, most of AOL users are known to be savvy enough to find some work-around until patches are available.

Kopete vs Gaim

I've been using Kopete for a while and enjoy it. On a lark, I tried Gaim recently, only to find that it won't work with MSN Messenger "out-of-the-box" because it requires installing some SSL thing. So, I said screw Gaim, and still use Kopete. Not that I'm in love with MSN Messenger, but that's what most of my non-geek relatives use.

Coincidental...

I've been assigned a task of choosing the best IM service/client for our group at work and will be recommending Gaim (correct capitalization) at a meeting today.

The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too :)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.

Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.

Gaim security

Yet another reason to switch to, IMHO, a better client such as gaim.

Gaim's security [securityfocus.com] doesn't look very good either. Switch if you like, but don't expect it to be any more secure.

Thanks SP2!

Thank goodness I downloaded SP2, since it will obviously keep my computer safe from this problem.

It's the bestest thing ever!

BAH!!

I don't use away messages you insensitive clod!

Seriously, its easier to ignore people you don't want to deal with if they know you don't use away msgs.

oh god

"However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said."

Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2

MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"

gaim

seriously is gaim really a better client? It alwasys seems to me like the unauthorized clients are a generation behind the real ones. Back when file sharing was big, gaim could not do it. Then buddy icons, gaim could not do it. No gaim can do those, but the big thing is voice and video, gaim cant do those.

Why allways plugging FLOSS?

Why does every article mentioning a piece of software have to mention a FLOSS alternative in the blurb?

I use the ICQ client.

Did you know that you can add AIM contacts to your contact list on ICQ, and vice versa?

Much handier for keeping message archives, and much less exploitable... and less intrusive also.

For those who don't want to use GAIM, Trillian, or Miranda.

The AIM client is ugly and stupid; I can't believe people still use it anyway.... unless they've "gotta have their AOL" even though they've "graduated" to a real ISP.

Feh.

Proxy Servers...

I can't get Gaim to work through our company proxy servers where as Yahoo and MSN native clients do so fine. I have tried all the proxy settings available. Our proxy server is an MS ISA server... *shudder*.

I don't use aim, nobody I know uses aim.

Test for SP2

wouldn't this be a good way to test the new DEP in SP2?

Client for your IM needs

My personal preference:

screen + aterm + irssi + bitlbee

Screen is a full screen window manager, keep something running on a server and detach/attach from anywayere

aterm [linuxreviews.org] is a nice terminal for X11.

irssi is a CLI irc client. Since Bitlbee acts as a normal IRC server, any IRC client can be used. Even CGI::IRC [sourceforge.net], there are several sites that allow you to use MSN/ICQ/JABBER/AIM/etc from a web page [everdot.org].

Bitlbee [bitlbee.org] is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway gives you a "irc channel" with ALL your contacts, whatever they are using.

More: BitlBee Guide - Talk to msn, icq and jabber contacts using any IRC client [linuxreviews.org].

NOTE: The setup has TWO flaws:
1) You can not exchange files (no filetransfer).
2) Bitlbee does not support GPG encryption for secure commuciation (available in jabber clients like gjabber and psi).

Rule of thumb: Original IM providers clients are never the best choice.

I'd switch to gaim..

but the UI is pretty lousy

Bugfree OSS

Thank god there have never [vuxml.org] been [linuxsecurity.com] any [linuxsecurity.com] buffer overflow [net-security.org] bugs [osvdb.org] in Gaim [securityfocus.com]!

We can all sleep better now.

Umm is this not a user issue?

However, AIM users would have to click on the URL to trigger the vulnerability, which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said.

Correct me if I'm wrong but this sounds to me like the user has to click something and it isn't automated.... therefore, once again it is stupid users, not software!

Windows

I tried gaim for windows a while back, but the performance of the app is pretty rough. Very slow screen updates, and lots of bugs, especially on a machine that's not a multi-gigahertz one. Miranda is one I found recently, which is really cool. Small, compact, and fast, but still powerful. http://www.miranda-im.com/

Gaim?

I use gaim regularly, but I still haven't weened myself off the official AOL Linux AIM client because gaim still crashes every time I try to send or receive a file. Never have I seen a feature for an OSS program be so seemingly painful and difficult to implement.

--Stephen

Gaim not a full-featured alternative

The smug "switch to Gaim" comment rather let the side down there, I think. Gaim is not a full-featured replacement. The particular deficiency I'm referring to is common to many alternative IM clients - yes, they all handle chat but very few go the whole hog and support video chats. Alternative MSN client supporting video? Not that I can find, though I'd be happy to be proved wrong here.

A quick search reveals a fork of the Gaim project here [sourceforge.net], which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.

The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.

Cheers,
Ian

licq

Yet another reason to switch to, IMHO, a better client such as gaim. ...Or licq if you're an icq user. It's by far the best icq client on any platform out there - even better than the official AOL/Mirabilis ones.

Shameless Plug!

TerraIM [sourceforge.net]

My little pet project ;-) It has a pretty complete OSCAR implementation, skinnable GUI, logging, talking while away, and runs straight from the binary (no install).

Another reason to use GAIM? I think not...

http://www.securityfocus.net/bid/10865/info/

Why all the AOL bashing?

I use AOL broadband and love it. Sure, I could have bought Earthlink and connected to the Internet... But with with AOL I can connect to both the Internet AND the World Wide Web!

Open Source Pimpdaddio

"Yet another reason to switch to, IMHO, a better client such as gaim."

I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.

So easy to ...

...hack, no wonder it's #1!

Trillian

I started using Trillian a while ago now when I started finding myself using AIM to chat with one group of people and Yahoo another.

I find it works well (except when yahoo updates something and breaks it for a few days) and they do a good job with updating it. I'd recommend it.

Here's my question...

Is switching to a supposedly better product really the best idea for this sort of situation? I mean, I'm no expert in this kind of study, but it appears to me that whatever is most popular falls victim to the most attacks. While there are flaws in Windows, security problems exist anywhere there are enough people looking for them. I often here reports of vulnerabilities in programs like SendMail (or at least I used to), and a great novel was written about a non-Windows based securtiy error. (The Cuckoo's Egg or something like that).

Is it reasonable to assume that if Gaim, Yahoo Messenger, or any other instant messenger became the most popular (measuring popularity in usage) then wouldn't it risk the same scrutiny that befalls AIM?

This question doesn't come from biased motivations either. I'm wondering if there has been a study how much scrutiny is placed on a software product in relation to its popularity in usage.

Perhaps this would call for moderation in all things software? Diversification of your software portfolio? Crazy stuff.

How many usability holes?

To me, the biggest flaw in AIM is its user interface. It's ugly, it's hard to learn, it's painful to use. I'm sure there's a hundred obvious usability mistakes.

And, why does a company like AOL feels the need to violate my window real estate with ads? (Animated ads!! Movies!!)
(Tip to block ads: Set a firewall rule to block any communication with the server ads.web.aol.com)

What is sad is that Gaim doesn't seem to do much better than AIM. Though more efforts were made on the look, the GUI is still messy. (See the menus, the preference dialog, too many dialogs, etc.)

GAIM? Better?

Please, I know someone that uses GAIM and the fucking program can't even paste hyperlinks properly.

Just because something is FREE doesn't mean it's GOOD.

But please enlighten me, someone, anyone, why is GAIM so much better than the official AIM client?

Don't Forget NAIM!

http://site.n.ml.org/info/naim/ NAIM is everything I need in an aim client, and more. Encryption, console based, irc+lily+icq compatible, been around forever, etc, etc. And dont forget, combined with screen, its extremely portable.

Questions about upgrade paths

The original article has left me a little bit confused. It is implied that the bug is with the AIM client, and not the protocol, but is that actually the case? Do we know for sure that other clients -- such as Gaim or iChat -- are not affected by the problem here?

And if the problem is just with AIM, and everyone that doesn't want to switch clients has to stay with AIM, are we really stuck with the standard AOL-IM suite that the company has been distributing lately? You know, the one that comes bundled with Weatherbug [google.com], which as far as I can tell will install itself with AIM whether or not you want it, and is damned near impossible to remove. Is that really what we're looking at here? Because that sucks big time.

If this is really the case, then hell with it, I'm going to put Gaim on everyone's desktop at work if AIM exploits become a problem. I'll bet most people probably won't notice the difference, and some will even like that it can be used to talk to the company's internal Jabber server, or other chat protocols.

But even without that, being able to avoid the mandatory spyware is fine by me...

Hmmm.....

Re:Internet Provider

You don't have to be an AOL subscriber to use AIM.

Re:Solution

Trillian [trillian.cc]

Re:Solution

I've been "using" Jabber for like 2 years now. Unfortunately I am the ONLY one "using" it. Everyone I talk to uses yahoo, msn, or aim. I still keep myself logged into to Jabber via gaim, but I can't convince people to even try Jabber. What's your secret? Bribery? Black mail?

Re:Do alternative clients handle voice?

gaim recently forked to get this functionality. search on sf.net for it

Re:This "hole" is just smoke for AOL paid infectio

You must have not used AIM lately. It doesn't install gator, but while installing aim if your not paying attention it will install both weatherbug and WildTangent? Ever try removing Wild Tangent from your control panel after having removed what you thought was all components. That was a nightmare.

Re:Aol shit sucks balls!

Next time you look at the aol messenger, just check out all the stupid ads that that thing has! And those annoying sounds!

I know you're trolling, but I'll bite anyway. I haven't seen an AIM ad in a long, long time. Of course, maybe that's because I'm running AIM version 4.8.2616 (Copyright 2001), which you can download at oldversion [oldversion.com]. It supports all of the AIM essentials, including messaging (obviously), chat, file transfer, stock ticker, IM Image, "AIM Phone" voice chat, and all the craptastic buddy icons your friends can find.

I don't know what sort of bloated junk they're pumping out as the AIM client these days, but ignore it. You're smart enough not to fall for some sort of viral IM, so forget the "latest and greatest," even with a vulnfix. Get one of the legacy builds. 4.8 works fine, has no ads, and oh - it allows you to change or disable the sounds.

Slickest, smallest, least intrusive messaging app I've ever found, and it has the most intuitive UI of any I've tried (including both Gaim and Trillian). That's why I use AIM and not ICQ, MSN, Yahoo, etc.