Users login

Create an account »


Users login

Home » Hacking News » AIM Crashes, AOL Ignores the new bug. Big suprise

AIM Crashes, AOL Ignores the new bug. Big suprise

by Nikola Strahija on October 3rd, 2001 A bug in America Online's AOL Instant Messenger program for Windows allows a malicious user to crash the computer of other AIM users, security experts advised today.

The attack, which may have been in use underground for some time, involves sending an AOL Instant Messenger (AIM) user a specially crafted instant message. Upon receipt of the notification of the message, the victim's computer will crash and require re-starting.

The denial of service bug affects the current edition of AIM for Windows, version 4.7.2480, as well as earlier releases. According to AOL, more than 100 million people have registered to use the company's instant messaging service.

AOL officials were not immediately available for comment on the bug report.

Source code to a program called "AIMrape," which exploits the flaw, was posted on the Internet Tuesday. According to the program's author, Tony Lambiris, he did not discover the bug but created AIMrape as a "public proof of concept" after reading about the issue on Vuln-Dev, a security mailing list.

Under the default configuration of AIM, the malicious user does not need to be on the victim's buddy list for the attack to be successful, he said.

The attack exploits a buffer overflow bug in the AIM for Windows client. By sending another AIM user a message containing 798 instances of a special string of characters, a malicious user can force the victim's PC to crash.

Because the AIM client software limits the number of characters that can be sent in an instant message, an AIM user can't simply cut and paste the buffer overflow code into the program's message area to crash another user's computer, according to Lambiris, a member of a hacking group known as Angrypacket.

As a result, AIMrape requires that the user have installed an open-source version of the AIM client software known as Libfaim. AOL's AIM servers automatically sign off users who connect with Libfaim and other unauthorized clients after a few minutes, but it is possible to sign back on again after waiting a moment, according to Lambiris.

Because of the special skills needed to make AIMrape work, Lambiris said it is unlikely the program can be operated by average computer users.

Until a fix for the buffer overflow flaw is available from AOL, concerned AIM users can protect against the denial of service attack by using AIM Express, the Web-based version of the service. Users can also use the "Privacy" tab in the program's Preferences section to block all or selected users from sending IMs.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »