CDRInfo Forum CDRInfo Forum

Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Photo Gallery  Member List  Search  Calendars  FAQ  Ticket List  Log Out

AOL Messenger Vulnerable!   Logged in as: Guest
Viewers: 700 You can click here to see Today's Posts | Most Active Topics | Posts Since Last Visit
  Printable Version
All Forums >> [News Around The Web] >> Security News >> AOL Messenger Vulnerable! Page: [1]
Login
Message << Older Topic   Newer Topic >>
AOL Messenger Vulnerable! - 8/10/2004 12:13:53 PM   
SiliconFreak


Posts: 12104
Joined: 7/4/2003
From: Melbourne, Victoria, AUS
Status: offline
Secunia and Internet Security Systems have reported a vulnerability in AOL Instant Messenger (AIM), which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the handling of "Away" messages and can be exploited to cause a stack-based buffer overflow by supplying an overly long "Away" message (about 1024 bytes). A malicious website can exploit this via the "aim:" URI handler by passing an overly long argument to the "goaway?message" parameter.

Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited with certain browsers.

The vulnerability has been confirmed in version 5.5.3595. Other versions may also be affected.

NOTE: Various other issues were also reported, where a large amount of resources can be consumed on a user's system.

Solution:
The vendor has contacted Secunia and recommends that users install a beta version, which addresses the vulnerability, or remove support for the "aim:" URI handler by deleting the "HKEY_CLASSES_ROOT\aim" registry key.


Source : InSourced
Post #: 1
AOL Messenger Vulnerable! (UPDATE!) - 8/11/2004 8:40:20 AM   
LinuxMarshall

 

Posts: 757
Joined: 3/4/2004
From: Yorkshire, United Kingdom (UK)
Status: offline
Here are todays news about this issue...

AOL updates AIM to fix flaw

America Online yesterday [US] posted a beta of its popular instant messaging client that fixes a vulnerability made public just a day before, and will follow up this week with a patch for the current version, 5.5.

A pair of security firms warned AIM users of a flaw that could let hackers load their own code into compromised machines.

The beta of AIM 5.9 fixes the vulnerability, said AOL spokesperson Krista Thomas. But it's not the only way users will be able to plug the hole.

"We're not necessarily recommending that everyone download the beta," she said. "We'll be posting a fix for AIM 5.5 that (addresses) the security issue."

The update to AIM 5.5, which first launched in February, will be available on the AIM website.

AIM 5.9, which is expected to roll out in final form this fall, includes several new features and enhancements besides the vulnerability fix.

The instant messaging client now integrates with America Online's "You've Got Pictures" photo service, offers one click access to such AOL features as its Net radio stations, and includes a new toolbar that provides a pop-up blocker and web search field.

The beta version of AOL Instant Messenger (AIM), dubbed 5.9.3672, can be downloaded from the AIM website.



Source : TechWeb

(in reply to SiliconFreak)
Post #: 2
RE: AOL Messenger Vulnerable! (UPDATE!) - 8/11/2004 8:45:11 AM   
SiliconFreak


Posts: 12104
Joined: 7/4/2003
From: Melbourne, Victoria, AUS
Status: offline
Thanks Marshall for keeping us up-to-date with this issue...

I am delighted to see that users read our forums and also post updated news if they came across them before we do...

Thanks again!

(in reply to LinuxMarshall)
Post #: 3
Page:   [1]
All Forums >> [News Around The Web] >> Security News >> AOL Messenger Vulnerable! Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.172