SillyDog701

[DJGM]

A rather serious security hole has been found in AOL Instant Messenger.

AOL Instant Messenger "Away" Message Buffer Overflow Vulnerability

Secunia Advisory: SA12198 Print Advisory
Release Date: 2004-08-09

Critical: [*][*][*][*][ ]
Highly critical
Impact: System access
Where: From remote

Software: AOL Instant Messenger 5.x

Description: Ryan McGeehan has reported a vulnerability
in AOL Instant Messenger (AIM), which potentially can be
exploited by malicious people to compromise a user's system.

Also . . .

The vulnerability has been confirmed in v5.5.3595.
Other versions may also be affected.

NOTE: Various other issues were also reported, where a large
amount of resources can be consumed on a user's system.

Solution:
The vendor was contacted but has not responded.

Use another product.

Full technical details available in the Secunia advisory . . .

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803

[Z_God]

It only seems to apply to the Windows version of the AIM.com client or does it also apply to the Netscape version of AIM, that I would expect most Sillydog visitors to use

UserAgent: Mozilla/5.0 (compatible; Konqueror/3.2; Linux) (KHTML, like Gecko)

[Don_HH2K]

I doubt this bug is present in the Netscape version, that's integrated into Netscape. NIM is not a full port of AIM, rather just a different version (notice that AIM uses ActiveX controls while NIM uses DLL files). Because AIM uses ActiveX controls, they can use that as a backdoor as well, so that also poses a problem for MS to update (once again!!!).
Although, with the Windows GDI leak, you don't know if it's a buffer overflow or just having too many windows/tabs open.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

[Antony]

AIM is the only instant messaging I use. I use Apple's iChat.

Now, is the iChat safe?

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8

[Don_HH2K]

iChat is probably safe as well, since it's more like Trillian than AIM, in the sense that it's not the same code (or is based on the same code) as AIM.

Secunia advises to use another product, so I'm guessing they are backing the fact that other programs do not have this vulnerability.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

[Al]

Aol may have to stop using ActiveX. And I think iChat is probaly safe

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

[Andrew T.]

I also see that the vulnerability does not affect the older AOL Instant Messanger 4.x releases, that were bundled with Netscape Communicator 4.x and which I use on Windows 95. I doubt that they utilize ActiveX controls either.

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040616

[Don_HH2K]

It appears that those used both ActiveX (OCM) files and dynamic libraries (DLL).
I may be wrong, but would someone be able to verify this by looking at AIM's SmartUpdate JAR for Communicator 4.8?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

[Wellander]

Hi,
Most programs use dll's

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803

[Don_HH2K]

Hi,
Most programs use dll's

That is true, but AIM uses a combination of DLLs and ActiveX controls.
If you have AIM installed, go to your AIM install directory, there will be multiple ActiveX controls and DLL files.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

[Al]

Good girfe that I don't use AIM, does MSN Messenger use ActiveX scripts?

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

[Don_HH2K]

Good girfe that I don't use AIM, does MSN Messenger use ActiveX scripts?

Of course it does, it's Microsoft software!!
If you think about it, the small ad down at the bottom is probably being hosted by IE.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

[Al]

OH brother... I hate MS software, except for NT based and VPC

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

[Mandrake]

Then why do you use it?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

[Al]

Then why do you use it?

Heck I bought it in 2000 because it was cheap and Macs are expensive and they still are, but I plan to switch to a PBookG4

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3