1445341
story
thedude13 writes
" Infoworld is running a story about a major security hole in AOL ® Instant Messenger(TM) and how it handles away messages. AIM is vulnerable to a buffer overflow via the auto-response away message mechanism. Yet another reason to switch to, IMHO, a better client such as gaim."
Re:Major erratum in article (Score:3, Interesting)
But.... (Score:4, Interesting)
Re:Major erratum in article (Score:1, Interesting)
And, of course, if it can be done by clicking such a link from your browser, it can be done by any of the means listed in the parent post.
Coincidental... (Score:5, Interesting)
The decision was mostly because of it's cross-platform, cross-service compatibility and "Buddy Pounce" features (and because it's my personal favorite too :)). This way folks can continue to use their personal MSN/AIM IDs without a problem. The Buddy Pounce feature allows a script/macro to be run in response to an event - this feature is particularly useful for us because we can kick of an SMS message for example in response to a message or another event.
Though they don't release Solaris binaries, I did get it to build on Solaris/SPARC with a little effort. I know the Yahoo Messenger UNIX version is open source now, so I could probably try and build it for obscure platforms, but it is IMHO severely cripped compared to the Windows counterpart.
Re:GAIM? Fire too (Score:3, Interesting)
Looks like the Mac version is not vulnerable to this specific bug, as it deals with the way Windows has pluggable protocols for URLs. (Which is not to say that I'm confident the official Mac client has no security problems. I'm not.)
Also, as long as we're mentioning IM clients for the Mac: my favorite is Adium [sourceforge.net]. I'm a little biased, but it has a great UI. (See the About [sourceforge.net] page for screenshots.) libgaim backend, so support for many protocols.
gaim (Score:4, Interesting)
Re:more buffer over flows (Score:4, Interesting)
Re:Major erratum in article (Score:2, Interesting)
http://www.say11.com/personal/byebyeaim.html [say11.com]
Client for your IM needs (Score:2, Interesting)
screen + aterm + irssi + bitlbee
Screen is a full screen window manager, keep something running on a server and detach/attach from anywayere
aterm [linuxreviews.org] is a nice terminal for X11.
irssi is a CLI irc client. Since Bitlbee acts as a normal IRC server, any IRC client can be used. Even CGI::IRC [sourceforge.net], there are several sites that allow you to use MSN/ICQ/JABBER/AIM/etc from a web page [everdot.org].
Bitlbee [bitlbee.org] is a IRC gateway server. Basically it's a irc server where you can add IM accounts. The gateway gives you a "irc channel" with ALL your contacts, whatever they are using.
More: BitlBee Guide - Talk to msn, icq and jabber contacts using any IRC client [linuxreviews.org].
NOTE: The setup has TWO flaws:
1) You can not exchange files (no filetransfer).
2) Bitlbee does not support GPG encryption for secure commuciation (available in jabber clients like gjabber and psi).
Rule of thumb: Original IM providers clients are never the best choice.
Re:more buffer over flows (Score:5, Interesting)
Validating input against assumptions is easy. The hard part is identifying all the assumptions we have to validate against. We often assume things about input without realizing we are assuming them.
For instance: Not too long ago few programmers had any idea they should check input values for SQL control characters before passing it to a database script. They assumed input wouldn't contain any, without realizing they were so assuming.
It's true that many bugs arise from unchecked string lengths, and those are usually pretty easy catch (and to fix), but resolving those problems will only take care of a subset -- though probably a large subset -- of the input-related security flaws out there.
Gaim? (Score:4, Interesting)
--Stephen
Re:Bugfree OSS (Score:2, Interesting)
a more secure approach (Score:5, Interesting)
So if it's a phone number, just numbers (and brackets and a plus for international numbers, and maybe minuses for the transatlantic cousins).
Naturally there is a tradeoff between security and usability - especially if you make a mistake in the permitted characters :-(
Even if you're not going that far, anything that looks like an escape character of any sort should generally be banned. Of course, some names have apostrophes, which could look like 'close quotes' if your app is especially dim.
Just as well there is no strict liability for software bugs!
Open Source Pimpdaddio (Score:3, Interesting)
I know we're all open-source whores here, but even the free version of Trillian is a much better omnipotent IM product as long as we're suggesting alternatives. The level of refinment between the two is lightyears apart. And yes, I'm using Firefox to jot this, thankyouverymuch.