[ISN] Instant Messenger flaw fixed; hackers criticized for little warning

From: InfoSec News (isnat_private)
Date: Fri Jan 04 2002 - 03:03:57 PST

  • Next message: InfoSec News: "[ISN] Popular file-share utilities contain Trojans"

    By D. IAN HOPPER, Associated Press 
    WASHINGTON (January 3, 2002 1:07 p.m. EST) - As AOL Time Warner
    engineers opened their presents and spent time with their families, a
    team of young hackers planned a holiday surprise: exposing a major
    security hole in one of the company's flagship programs.
    The international group released a program that turns AOL's Instant
    Messenger into a key that could unlock many home computers. Now the
    hackers are being criticized by security experts for not giving AOL
    sufficient time to react.
    The group, founded by a 19-year-old Utah college student, discovered a
    security hole in AOL's Instant Messenger program that can let a hacker
    take control of a victim's computer, the company confirmed Wednesday.
    AOL fixed the problem at its central networks Thursday.
    "The issue was resolved early this morning and was handled on the
    server side, so users do not have to download anything or take any
    other action," AOL spokesman Andrew Weinstein said. "To our knowledge,
    no users were affected by this issue prior to its resolution."
    The problem affected the newest as well as many earlier versions of
    AOL's Instant Messenger program, which boasts more than 100 million
    users. Only the Windows version was at risk; Instant Messengers for
    Macintosh, Palm and other platforms were not. America Online Internet
    access service customers were not affected either.
    "You could do just about anything: delete files on the computer or
    take over the machine," said Matt Conover, founder of the hackers'
    group, "w00w00."
    Conover said w00w00 has more than 30 active members from 14 states and
    nine foreign countries. Until AOL's fix is released, Conover said,
    Instant Messenger users should restrict incoming messages to friends
    on their "Buddy Lists."
    "It will at least keep someone from attacking you at random," Conover
    said. But even that wouldn't help if the attack code were added to a
    virus that propagated without the victim's knowledge.
    Conover, who attends Utah State University, said the group found the
    problem several weeks ago but didn't contact AOL until after
    Christmas. The group didn't get any response to an e-mail sent to AOL
    during the holiday week, he said, so w00w00 released details - and a
    program that takes advantage of it - to public security mailing lists
    less than a week later.
    The program released by w00w00 remotely shuts down a user's Instant
    Messenger program but could be modified to do more sinister things.
    That practice is under scrutiny by security professionals. While some
    independent researchers argue for a "full disclosure" policy and say
    software vendors are trying to hide their mistakes, many companies say
    users are better protected if companies have time to react.
    "I think that's pretty dangerous," said Chris Wysopal of the security
    company AtStake, "especially since they pretty much acknowledged that
    they hadn't gotten a response back from AOL yet."
    Russ Cooper, who moderates a popular security mailing list and works
    for the security firm TruSecure, said Conover's action was
    irresponsible because it helped hackers.
    "I think it's better to provide details of the exploit and then let
    other people write the actual code," Cooper said. "It lets the
    technical community have the information they need without letting
    idiots have the information they want."
    Conover said w00w00 set a New Year's deadline for sentimental reasons,
    because it was the anniversary of the group's last major security
    release. He defended the disclosure of the attack program because "it
    means providing all the information we have available to the security
    AOL's Weinstein said the company would have appreciated more warning.
    "We'd encourage any software programmer that discovers a vulnerability
    to bring it to our attention prior to releasing it," Weinstein said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 13:07:32 PST