Bugtraq mailing list archives
Re: AIM & @stake's advisory
From: Joseph Testa <jst3290 () RITVAX ISC RIT EDU>
Date: Wed, 13 Dec 2000 19:12:43 -0800
Hi all -- Nine months ago in March, 2000, I discovered the same vulnerability in AOL Instant Messenger (back then the latest version was 3.5.18??). It was a buffer overflow in AIM's "screenname=" command line argument that is passed in via the "aim://" protocol of a browser. I notified AOL, then posted to both BUGTRAQ and VULN-DEV. My topic was approved in both forums soon after, but my thread gained little attention. In addition, AOL simply ignored me. I didn't do anything about it for two reasons. First, my school workload was too great at the time to worry about anything else, and second, I figured that between all the people on the lists, if my topic was significant, something would get done. Since it was basically ignored, I concluded that I was just a newbie and I set off everyone's "newbie o'meter" with my post. Then summer hit, and well, you know.... And to top it off, a week or two ago I signed onto AIM for the first time in months and remembered all this. I made a note to myself to investigate again on a boring day. I guess can cross that off my to-do list! - Joe Testa
Current thread:
- Re: AIM & @stake's advisory Joseph Testa (Dec 15)
- <Possible follow-ups>
- Re: AIM & @stake's advisory Packet of Sweets (Dec 16)