[18083] in bugtraq
Re: AIM & @stake's advisory
daemon@ATHENA.MIT.EDU (Joseph Testa)
Thu Dec 14 18:26:08 2000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=us-ascii
Content-Transfer-Encoding: 7BIT
Message-Id: <5.0.2.1.0.20001213184317.009ea370@vmspop.rit.edu>
Date: Wed, 13 Dec 2000 19:12:43 -0800
Reply-To: Joseph Testa <jst3290@RITVAX.ISC.RIT.EDU>
From: Joseph Testa <jst3290@RITVAX.ISC.RIT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi all --
Nine months ago in March, 2000, I discovered the same vulnerability in AOL
Instant Messenger (back then the latest version was 3.5.18??). It was a
buffer overflow in AIM's "screenname=" command line argument that is passed
in via the "aim://" protocol of a browser. I notified AOL, then posted to
both BUGTRAQ and VULN-DEV. My topic was approved in both forums soon
after, but my thread gained little attention. In addition, AOL simply
ignored me.
I didn't do anything about it for two reasons. First, my school workload
was too great at the time to worry about anything else, and second, I
figured that between all the people on the lists, if my topic was
significant, something would get done. Since it was basically ignored, I
concluded that I was just a newbie and I set off everyone's "newbie
o'meter" with my post. Then summer hit, and well, you know....
And to top it off, a week or two ago I signed onto AIM for the first time
in months and remembered all this. I made a note to myself to investigate
again on a boring day. I guess can cross that off my to-do list!
- Joe Testa
