[ISN] Security hole in AOL Instant Messenger leaves computers vulnerable to remote takeover

From: InfoSec News (isnat_private)
Date: Wed Jan 02 2002 - 22:11:53 PST

  • Next message: InfoSec News: "[ISN] Security exec picked for board"

    http://www.nandotimes.com/technology/story/209392p-2020627c.html
    
    By D. IAN HOPPER, Associated Press 
    
    WASHINGTON (January 2, 2002 3:21 p.m. EST) - A security hole in AOL 
    Time Warner's Instant Messenger program used by millions of computer 
    users can let a hacker take control of a victim's computer, security 
    researchers and the company have said.
    
    An AOL spokesman said the problem will be fixed soon, and users won't 
    have to download anything.
    
    "We have identified the issue and have developed a resolution that 
    should be deployed in the next day or two," AOL's Andrew Weinstein 
    said. "To our knowledge, this issue has not affected any users."
    
    The problem affects newest versions as well as many earlier iterations 
    of AOL's Instant Messenger program.
    
    Discovered by a loose team of international researchers called 
    'w00w00,' the hole is a "buffer overflow," like the problem recently 
    found in Microsoft's Windows XP.
    
    By sending a stream of junk messages to the program, a hacker can 
    overwhelm the software and make the victim's computer run any commands 
    the hacker wants.
    
    "You could do just about anything, (you could) delete files on the 
    computer or take over the machine," w00w00 founder Matt Conover said.
    
    Conover said w00w00 has over 30 active members from 14 states and nine 
    countries. Until AOL's fix is released, Conover said, Instant 
    Messenger users should restrict incoming messages to friends on their 
    "Buddy List."
    
    "It will at least keep someone from attacking you at random," Conover 
    said, but it wouldn't help if the attack code is added to a virus that 
    propagates without the victim's knowledge. AOL said it has not given 
    its users any advice in the interim.
    
    Conover said the group found the problem several weeks ago, but didn't 
    contact AOL until after Christmas. The group didn't get any response 
    from AOL through an e-mail during the holiday week, he said, so w00w00 
    released details - and a program that takes advantage of it - to 
    public security mailing lists less than a week later.
    
    The program released by w00w00 remotely shuts down a person's Instant 
    Messenger program, but could be modified to do more sinister things.
    
    That practice is under scrutiny by security professionals. While some 
    independent researchers argue for a "full disclosure" policy and say 
    software vendors are trying to cover up their mistakes, many companies 
    say users are better protected if the company has time to react.
    
    Russ Cooper, who moderates a popular security mailing list and works 
    for security firm TruSecure, said Conover's actions are irresponsible.
    
    "I think it's better to provide details of the exploit and then let 
    other people write the actual code," Cooper said. "Unfortunately, 
    these are fundamentally naive people with a very childish view of the 
    world."
    
    Cooper said he let Conover send the information out through his 
    mailing list, but only did so after noticing it was released through 
    other channels as well.
    
    Conover said w00w00 set a New Year's deadline for sentimental reasons, 
    because it was the anniversary of the group's last major security 
    release. He defended the disclosure of the attack program.
    
    "This is the approach that w00w00 has historically taken to the 
    problem," he said. "For us it means providing all the information we 
    have available to the security community."
    
    AOL's Weinstein said the company would have appreciated more warning.
    
    "We'd encourage any software programmer that discovers a vulnerability 
    to bring it to our attention prior to releasing it," Weinstein said. 
    
    [ http://www.w00w00.org/ ]
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 09:17:24 PST