Posted on 01/02/2002 11:32:41 AM PST by Native American Female Vet
New hole in AOL Instant Messenger lets hackers take over
By D. Ian Hopper, Associated Press, 1/2/2002 15:02
WASHINGTON (AP) A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.
An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.
''We have identified the issue and have developed a resolution that should be deployed in the next day or two,'' AOL's Andrew Weinstein said. ''To our knowledge, this issue has not affected any users.''
The problem affects newest versions as well as many earlier iterations of AOL's Instant Messenger program.
Discovered by a loose team of international researchers called 'w00w00,' the hole is a ''buffer overflow,'' like the problem recently found in Microsoft's Windows XP.
By sending a stream of junk messages to the program, a hacker can overwhelm the software and make the victim's computer run any commands the hacker wants. ''You could do just about anything, (you could) delete files on the computer or take over the machine,'' w00w00 founder Matt Conover said.
Conover said w00w00 has over 30 active members from 14 states and nine countries. Until AOL's fix is released, Conover said, Instant Messenger users should restrict incoming messages to friends on their ''Buddy List.''
''It will at least keep someone from attacking you at random,'' Conover said, but it wouldn't help if the attack code is added to a virus that propagates without the victim's knowledge. AOL said it has not given its users any advice in the interim.
Conover said the group found the problem several weeks ago, but didn't contact AOL until after Christmas. The group didn't get any response from AOL through an e-mail during the holiday week, he said, so w00w00 released details and a program that takes advantage of it to public security mailing lists less than a week later.
The program released by w00w00 remotely shuts down a person's Instant Messenger program, but could be modified to do more sinister things.
That practice is under scrutiny by security professionals. While some independent researchers argue for a ''full disclosure'' policy and say software vendors are trying to cover up their mistakes, many companies say users are better protected if the company has time to react.
Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible.
''I think it's better to provide details of the exploit and then let other people write the actual code,'' Cooper said. ''Unfortunately, these are fundamentally naive people with a very childish view of the world.''
Cooper said he let Conover send the information out through his mailing list, but only did so after noticing it was released through other channels as well.
Conover said w00w00 set a New Year's deadline for sentimental reasons, because it was the anniversary of the group's last major security release. He defended the disclosure of the attack program.
''This is the approach that w00w00 has historically taken to the problem,'' he said. ''For us it means providing all the information we have available to the security community.''
AOL's Weinstein said the company would have appreciated more warning.
''We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,'' Weinstein said. On the Net: AOL Instant Messenger:
http://www.aim.aol.com
w00w00: http://www.w00w00.org
Yeah, right. Like anyone can get AOL to respond to anything. I'm still waiting for them to explain why they dump half of my email from conservative sources. They can't -- or won't. But, ususally, they don't even reply at all.
Another great day not to be a Windows or AOL user.
Yeah if there is a AOL_Buffer_Overflow@aol.com address where intelligent life resided then it "would have been reported."
The Buddie list "even if turned off" through the menu runs and launches and then creates a DNS connection. It is full of stinking overruns and has some stinking calls to 16bit dlls. I documented this.
OK freerepublic another assertion: IF you have VBA 5.3 or Visual Basic 6 and Access 2000 on a windows 2000 computer... guess what????? BUFFER OVERRUNS!
< A HREF = "http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q304548">See QDOC304548
In the event you are interested in learning more about buffer overruns then download:http://www.sysinternals.com/ntw2k/source/regmon.shtml.
If you use these tools with the appropiate filters you will be surprised at how loose commercial software is: http://www.sysinternals.com/ntw2k/utilities.shtml
Error accessing file. Network connection may have been lost. Is another fancy name for a call to Microsoft's website that creates a buffer overrun because VBA6.dll is versioned as 5.3.
Oh yeah.. I'll be sure to call tech support about that as well. YAWN!
UPDATES:
1. AOL will be fixing this in the server side within a day or two.
2. Versions dating back to at least AIM 4.3 are vulnerable
3. Inline AIM in Netscape is not vulnerable
I don't see any mention of AIM for linux(*nix) being vulnerable, so I guess it's safe. As always, avoid the deadly combination of Windoze, I.E., and Outl••k, or do your surfing on a box that does not have anything important on the harddrive.
Do you still get porn spam?
Good government.
I hear people say this all the time, and I don't really get it. I have used AOL in the past, as well as IE and Netscape. How is using AOL any more "dumbed down" than any other browser? They all seem to work the same for me. Type in your url and go. Maybe I'm computer illiterate, but I'd really like to know.
Have you ever been on the help line? uhhhhhhhhh.... They treat everyone like a total dunce who has to be walked through even the most basic tasks. You couldn't pay me enough to work at their help desk.
Don't worry, they're not. Go to Google and do a search for "Diary of an AOL User". You'll laugh so hard you'll wet your pants.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.