Re: AIM & @stake's advisory

[Joseph Testa <jst3290 () RITVAX ISC RIT EDU>]

Hi all --

        Nine months ago in March, 2000, I discovered the same vulnerability in AOL
Instant Messenger (back then the latest version was 3.5.18??).  It was a
buffer overflow in AIM's "screenname=" command line argument that is passed
in via the "aim://" protocol of a browser.  I notified AOL, then posted to
both BUGTRAQ and VULN-DEV.  My topic was approved in both forums soon
after, but my thread gained little attention.  In addition, AOL simply
ignored me.

        I didn't do anything about it for two reasons.  First, my school workload
was too great at the time to worry about anything else, and second, I
figured that between all the people on the lists, if my topic was
significant, something would get done.  Since it was basically ignored, I
concluded that I was just a newbie and I set off everyone's "newbie
o'meter" with my post.  Then summer hit, and well, you know....

        And to top it off, a week or two ago I signed onto AIM for the first time
in months and remembered all this.  I made a note to myself to investigate
again on a boring day.  I guess can cross that off my to-do list!

        - Joe Testa