This discussion has been archived.
No new comments can be posted.
AOL IM 'Away' Message Security Hole Found
Related Links Top of the: day, week, month.
"Here's something to think about: How come you never see a headline like `Psychic Wins Lottery.'" -- Comedian Jay Leno
Major erratum in article (Score:5, Informative)
Any web page can launch URLs of the form aim:goaway?message=Anything+goes+here by many different means without user intervention:
- Redirect response codes
- Meta redirect tags
- Frames
- iframes
- Javascript popups
Any one of those methods will change your away message automatically, without any confirmation on your part. And if the part in the message= section is more than 1024 characters, arbitrary code can be executed on your machine.The only sure way to protect yourself against this is to remove the HKEY_CLASSES_ROOT\aim registry key, which will disable the AIM protocol altogether, as explained here [idefense.com].
Re:Major erratum in article (Score:3, Interesting)
Re:Major erratum in article (Score:4, Insightful)
Its not as if anyone can just post a meta-refresh onto the front page of google. A page/server would have to host that javascript/iframe/redirect/etc and you would have to convince someone to visit that in the first place.
Sure, you can use social engineering to get people to visit mysite.com/hack.htm or whatever, but thats exactly what the article is saying - you need to manually visit a malicious page in the first place.
Re:Major erratum in article (Score:4, Insightful)
Seriously, a combo exploit that affected webservers and AIM would net not only thousands of servers but thousands upon thousands of PCs. Individual PCs with no services are difficult to infect by worm with even the most minimal security settings, this would tank thousands of PCs because people are so naive when it comes to the 'net. AIM has always been "safe", they don't want to listen to how it might be "dangerous".
Of course, AOL can push out an update to the client tomorrow, and as long as the next version has more flashing lights, people will download it right away.
Re:Major erratum in article (Score:2)
Re:Major erratum in article (Score:2)
You said so yourself, after a search in google you "would have to click on the URL to trigger the vulnerability..." exactly as the article says.
The point is, just chatting on AIM is not going to have some worm that exploits this thing rip through your system and the entire AOL network.
Re:Major erratum in article (Score:2)
"which will make it harder for malicious hackers or virus writers to use it in automated attacks, Weinstein said. "
The original poster said:
"This is completely and totally wrong."
But it is not. It does make it harder, because just using AIM wont get you 'own3d', you have to visit a malicious URL, regardless of how easily it may be to get people to visit such a URL.
Browser does matter. (Score:3, Informative)
Re:Major erratum in article (Score:3, Insightful)
Not really. A browser seeing an internet protocol it doesn't know how to use basically has two choices: ignore it or let somebody else worry about it. Ignoring it is not a Good Thing, since there clearly are cases where externel URLs are useful (mail:, news:, ed2k:, irc:, and so on).
And considering there already is a database of protocols and installed programs that handle them in the Windows registry it
Re:Major erratum in article (Score:2)
Re:Major erratum in article (Score:2, Interesting)
http://www.say11.com/personal/byebyeaim.html [say11.com]
Registry Fix (Score:3, Informative)
Walkthrough of registry fix for AIM hack [tech-recipes.com]
Look like a good reason to upgrade to trillian to me.
Davak
Re:Registry Fix (Score:2, Flamebait)
Paying someone for a client to access a free service seems about as silly as paying for IE or Netscape.
Visit SourceForge [sourceforge.net] and download GAIM [sourceforge.net] or one of the many open source IM solutions.
Re:Registry Fix (Score:2)
How on Earth did this flamebait get rated highly?
Paying someone for a client to access a free service seems about as silly as paying for IE or Netscape.
Except that Trillian has nice features, a nice interface, really good technical support, and all the features I want. Yeah, I guess I'm a newbie though... only been working with computers for 20 years.
Re:Major erratum in article (Score:5, Informative)
Basically unless you run as a regular "User" or other restricted account in Windows, the AIM fix is only good for one session of AIM.
Victor
A reason to sit at the computer? (Score:5, Funny)
gaim Bug (Score:2, Informative)
Re:gaim Bug (Score:2)
Re:gaim Bug (Score:5, Insightful)
Re:gaim Bug (Score:3, Funny)
more buffer over flows (Score:5, Insightful)
Re:more buffer over flows (Score:3, Insightful)
I always validated my input, even when learning to program BASIC out of the C=64 User's Guide and the advanced Programmer's Reference Guide in my early teens before taking any formal classes in it. I don't think it's too much to ask for people who actually get paid to write this stuff to validate input, no matter where it comes from.
Re:more buffer over flows (Score:5, Interesting)
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.
It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.
Re:more buffer over flows (Score:2)
Re:more buffer over flows (Score:2)
If I didn't personally initialize the variable then I must explicitly define, through validation, what type of information that variable is carrying. It's not that tough.
They assumed input wouldn't contain any, without realizing they were so assuming
I think the only thing that was assumed is that the input had been validated by the routine or program which generated it. We're faced with a quandry: validate everything and was
a more secure approach (Score:5, Interesting)
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters :-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
Re:more buffer over flows (Score:3, Insightful)
and testability access points than I am trying to get my kids to eat vegetables.
Even tying bonuses to it motivates few.
nasty, but good for you... (Score:2)
Nice analogy :-)
Have you (or the PHBs) tried code review or unit tests? That might get them eating their spinnach, so to speak...
Re:more buffer over flows (Score:4, Interesting)
Re:more buffer over flows (Score:2)
(read: Are you running an Athlon 64?)
Re:more buffer over flows (Score:4, Insightful)
Re:more buffer over flows (Score:2)
Obvious solution. (Score:5, Funny)
Those rebels deserve whatever they get.
But.... (Score:4, Interesting)
Re:But.... (Score:2, Informative)
A URL of the form "aim:goaway?mesage goes here" should work on most machines running AIM to set an away note. Pass too long of a string to that function, and a buffer overflow results.
Re:But.... (Score:2)
Re:But.... (Score:2)
That exploit seems obvious. Wonder if it would work.
Re:But.... (Score:2)
Needs user assistance (Score:4, Informative)
AIM-based worms that need user clicks to spread have already existed for a while. I've already seen one that tempts people to a page that offers a malware ActiveX download, and if the user accepts their AIM profile is changed to advertise the malware site without them realizing what they've done.
So, in short, this one's bad, but there's a pretty easy workaround that'll keep you safe: Hover over the hyperlink before you click on it to see the URL. If it's a mile long, don't click on it.
Re:Needs user assistance (Score:3, Insightful)
I'm not really sure what the problem is. Reading the computer screen is not a difficult or scary task. Understanding words like "install" and "security hazard" and "caution" are not that difficult.
I know it would be terrible UI design, but IE should really scramble the buttons at the bottom of ActiveX Dialogue boxes to keep people from instinctively clicking without reading. There are one
Re:Needs user assistance (Score:2)
1. This is spyware which will download more spyware.
2. This is poorly written and will cause you a lot of problems.
3. There is no uninstaller, or the this is a severe pain to uninstall. Good luck, sucker!
In other words, spyware promotes itself like typical free software people expect. I think your argument would only make sense if there was a legal responsibility to say the above things in normal non-legalese non-techese speak.
Re:Needs user assistance (Score:2)
Surely not.
People are smart enough to know that all things come at a cost.
Re:Needs user assistance (Score:2)
Good rule, if it wasn't for a couple of problems - for a start this is AOL users, not exactly the group most renouned for net-savvyness and reluctance to click every link in sight. Even the length of the URL isn't an indicator with services like shorturl, and I could write a two line perl script that could turn an innocuous looking URL into a redirect to something much nastier (and the chances are it'd work so fast they wouldn't even notice).
URL length isn't really
GAIM? Fire too (Score:3, Informative)
Re:GAIM? Fire too (Score:2, Funny)
Re:GAIM? Fire too (Score:2)
They are all directly installable via the "darwinports" port system [opendarwin.org]
Re:GAIM? Fire too (Score:3, Interesting)
Looks like the Mac version is not vulnerable to this specific bug, as it deals with the way Windows has pluggable protocols for URLs. (Which is not to say that I'm confident the official Mac client has no security problems. I'm not.)
Also, as long as we're mentioning IM clients for the Mac: my favorite is Adium [sourceforge.net]. I'm a little biased, but it has a great UI. (See the About [sourceforge.net] page for screenshots.) libgaim backend, so support for man
worm/virus? (Score:2)
The vulnerability reinforces the importance of using caution when clicking on links in IM messages, especially when they are from unknown correspondents, he said.
This probably would cause some harm but not as much as a worm/virus that would automatically send the malicious URL to all users that are away on your list
Re:worm/virus? (Score:5, Funny)
Don't forget about Trillian for Windoze users (Score:2, Informative)
Think Gaim but pretty!
Jabber & Google (Score:3, Insightful)
It could also seamlessy integrated with GMail, using the same id both as the e-mail address and as JID.
Bye!
Re:Jabber & Google (Score:2)
I'm not so sure the Jabber system would work so well with Google. With Jabber (IIRC) all communications go through a central server. Apart from the privacy concerns, that'd be a helluva lot of bandwidth. Jabber servers are really meant to be implemented at the ISP/company/campus/whatever level. That would still work with having identical email addresses and JID's. Google would either have to come up with some geographically-based set of virtual servers (which they probably already do!) or modify the Jabber
Re:Jabber & Google (Score:2)
Y R U Here? (Score:2)
If this review is something AOL comissioned, good for them. It would be nice, however, if they had an internal QA department that could find these design (act
I use Gaim because it's the best in Linux (Score:2, Insightful)
Gaim works (Score:5, Insightful)
{thongue in cheek mode:ON}
Apparently you have no idea what Open Source Software is either
{/thongue in cheek mode:OFF}
More seriously : Unlike proprietary software, a opensource software whose version number is less than 1.x usually means more "warning: Not all cool function you would like to see are implemented yet" rather than "This software is an expreminental piece of crap, that will keep crashing your OS, please wait until we get out of beta stage before testing it, unless you backup your data often".
Personnaly I've been using Gaim since version 0.5x both under linux at home and under windows at work, and I can say : It's pretty stable. I've been telling my brother and my friends about it and they are happy too.
The only reason it hasn't reached the 1.x milestone isn't because of the bugs, but because there are some features it's still missing (Mainly : some kind of file upload are missing, although things are a lot better since 0.80 ; Support for Webcams, etc
This is a common misconception, and a lot of newbie users can be heard complaining "Linux distro sucks, It' only full of bug ridden software : everything is version 0.xy"
Re:Gaim works (Score:2)
Previous to many of these OSS projects gaining prominence, "1.0" was commonly accepted as the milestone where basic functionality was fully working. The software may not be "done", but it was usable and things would Just Work. This was a de-facto standard used by almost all commercial vendors, which was
I would use it... (Score:2)
Here, I would think that the usual case, where an active open source program at 0.x is better than a commercial product at 6.x, holds true. Gaim v0.81 has over 250+ bug fixes, a few big, many small, and that product is VERY stable and logs into everything. I know 20+ people all on various ports of Gaim and no complaints. Prior to 0.6, it's been a bit hellish, but 0.7+ has been simply sweet. Remember you can install new
Re:I use Gaim because it's the best in Linux (Score:5, Informative)
I have encountered zero bugs with GAIM, which I consider very unusual for anything running on Windows.
Re:I use Gaim because it's the best in Linux (Score:2)
I have had my fair share of Gaim crashes when receiving an email notification (MSN) with international characters in its subject. I've had version 0.78 crash on me for no reason whatsoever. I've also had no progress bar when sending files
GAIM? Trillian? (Score:3, Informative)
or... for win32bies... (Score:3, Informative)
My God! (Score:4, Funny)
Kopete vs Gaim (Score:2)
Re:Kopete vs Gaim (Score:2)
Coincidental... (Score:5, Interesting)
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too :)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
Re:Coincidental... (Score:3, Informative)
http://gaim-encryption.sf.net
Cross-platform, and uses the mozilla NSS libraries which gaim already uses too!
oh god (Score:5, Funny)
Yeah, this wouldn't be such a problem if the average IQ of an AIM user was above 2
MizzIz283334: "LIke, OMG Iz just gots a linky from somewhere!!!11!!oneoneone"
IzLikeBoizzz435435: "OMG u clic it?"
MizzIZ 283334: "OMG WTF BBQ My computer died!!!"
gaim (Score:4, Interesting)
Re:gaim (Score:2)
Re:gaim (Score:2, Informative)
I'm sure you already know this, but gaim-vv [sourceforge.net] is a friendly fork concentrating on the video and voice stuff, so at least they're making an attempt to catch up.
As an aside, I can think of many features where the official clients are/have been behind. When logging was big, the official clients couldn't do that! Another good example is buddy pouncing. Not to mention all the plugins [sourceforge.net]...
Sure, its a great client (Score:2)
Well, that is kind of expected. Not all the protocols are openly documented -- some have to be continously reverse engineered to figure out the latest obfuscation. Frequent changes to Yahoo's auth procedure come to mind (see the changelog).
And you say "a generation behind" as if it is a bad thing. Note the argument "bleeding edge vs bug free". A more mature softwa
Re:gaim (Score:2)
Actually, I *really* wish that all my friends had just stuck with ICQ instead of jumping to AIM (which was faste
Re:gaim (Score:2)
Client for your IM needs (Score:2, Interesting)
screen + aterm + irssi + bitlbee
Screen is a full screen window manager, keep something running on a server and detach/attach from anywayere
aterm [linuxreviews.org] is a nice terminal for X11.
irssi is a CLI irc client. Since Bitlbee acts as a normal IRC server, any IRC client can be used. Even CGI::IRC [sourceforge.net], there are several sites that allow you to use MSN/ICQ/JABBER/AIM/etc from a web page [everdot.org].
Bitlbee [bitlbee.org] is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway
Re:Client for your IM needs (Score:2)
Rule of thumb: Everyone on /. will recommend a solution infinitely more complex than that they suggest replacing
Re:Client for your IM needs (Score:2)
Americanization is probably a better term from a global perspective ;)
I'd switch to gaim.. (Score:2, Insightful)
Bugfree OSS (Score:5, Informative)
We can all sleep better now.
Re:Bugfree OSS (Score:2, Interesting)
Re:Bugfree OSS (Score:3, Informative)
On January 15, gaim development was emailed patches for all 11 existing bugs. A patch was added to CVS that evening, but there was no 0.76 release and no public disclosure by gaim dev (at least on their Sourceforge page - there may have been something sent
Umm is this not a user issue? (Score:2)
Correct me if I'm wrong but this sounds to me like the user has to click something and it isn't automated.... therefore, once again it is stupid users, not software!
Windows (Score:2)
Gaim? (Score:4, Interesting)
--Stephen
Gaim not a full-featured alternative (Score:4, Insightful)
A quick search reveals a fork of the Gaim project here [sourceforge.net], which, err, aims to add video functionality. Looks good from the shots, though I haven't tried it myself.
The point of this is that people should think things through before just spouting off the top of their head. It doesn't help to have people say "yeah, use this free alternative!" and then have people turn round and say it doesn't work. I'd love to recommend a non-AOL AIM client to people, but until AV is handled I simply can't. Same for MSN -all very nice for text and file transfer, but not up to scratch for the advanced functions yet.
Cheers,
Ian
Re:Gaim not a full-featured alternative (Score:2)
Well yes, but that's not an alternative client - it's the official one. Unofficial ones are needed to integrate multiple accounts, and also to operate on different platforms. And NetMeeting is drastically NAT unfriendly - not its fault, just the protocol it implements.
At this moment, for example, I have iChat and Fire open. The reason I have iChat open is purely for the AV side of things - Fire can't handle that.
On Windows, I have Messenger installed too, again to hand
licq (Score:2)
Why all the AOL bashing? (Score:5, Funny)
Open Source Pimpdaddio (Score:3, Interesting)
I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.
Re:Internet Provider (Score:3, Informative)
Re:Internet Provider (Score:2)
Re:Solution (Score:2)
Re:Why allways plugging FLOSS? (Score:2)
Re:Why allways plugging FLOSS? (Score:2)
Re:Why allways plugging FLOSS? (Score:2)
Re:Why allways plugging FLOSS? (Score:3, Informative)
Re:Proxy Servers... (Score:2)
I'm sure they'll get around to fixing it, that's a fairly low priorty issue. I'd rather see full protocol support added first.
Re:I use the ICQ client. (Score:2)
Re:Gaim security (Score:3, Informative)
Re:This "hole" is just smoke for AOL paid infectio (Score:2)