After I wrote the below article and posted it on BUG-Traq, then wrote a similar article that was posted on Observers.Net AOL Re-Patched their servers.
Synopsis:
After everything that has happened, with the Game Invite Crash, File Crash, Buddy Kill, Etc. AOL has been in the media a lot. After much negitive press attention they patched there AIM servers to protect users against these attacks and released new versions of instant messenger. Sometime in the middle of January, you could no longer use Nemisis AIM Suite, AIM Filter, or AIM Interceptor, to exploit these bugs. Upon execution of a Buddy List Kill Attack with AIM Suite (a DoS attack that locks up Windows AIM 4.7 and the first 4.8 beta with an overly large buddylist) , your would recive..'Error Code 14' from the server in your IM window. AOL's server-side block of this bug protected the target from having their client frozen. Now it seems that after the press attention died down they have given up there server-side block of this attack, and it can once again be exploited. The newest AIM Beta 4.8.2646 is not vulnurable to this attack.
Implications:
The problem is that when a user goes to www.AIM.com to download AIM, they are not given the chance out right to download the newest beta, you have to dig around the site to find the beta download page. Instead mass amounts of users are downloading AIM 4.7, which is STILL vulnurable to the Buddy Kill DoS attack. Why AOL fixed this problem
on the server-side, and then un-fixed, I can only speculate on. One person said, in defense of AOL that you can go to
My AIM -- Edit Opions -- Edit Preferences...
Go to the Sign On/Sign Off category.
In the Autoupgrade box, select Notify me when a new version is available and pick Beta and Final Releases.
This is very true, but, one cannot expect every single AIM user to even know that this feature exists. Could un-patching their servers be an attempt by AOL to get users downloading there Beta software? The new AIM Beta has a feature that allows you to send ALERTS to your mobile device (eg. pager or cellphone) and i'm sure it also sends advertisements. You can view the ALERTS page at http://alerts.aol.com/index.psp
Risk:
The risk of not keeping their server-side patch in place is huge. Anyone with the widely distributed Local Proxy's Nemisis AIM Suite, AIM Interceptor, or AIM Filter can crash any user that has not upgraded to AIM 4.8.2646. This shows a total lack of care on AOL's part for their free users.
Fix:
For those who are wary to download any new Beta versions of AIM from AOL (and arn't we all) there is still the Local Proxy Nemisis AIM Suite, AIM Interceptor or AIM Filter, alternative. Which are availble at www.dreamscapeprod.com/nemisis
Local Proxy's like the above get in between the AIM Client and Server, and can offer protection against the many AIM DoS attacks that AOL has failed to fix.
-Nemisis