RE: [ISN] Instant Messenger flaw fixed; hackers criticized for little warning

From: InfoSec News (isnat_private)
Date: Sun Jan 06 2002 - 23:31:11 PST

  • Next message: InfoSec News: "Re: [ISN] MITNICK, et al"

    Forwarded from: McDonald Patrick <mcdonald_patrickat_private>
    Unbelievable, AOL writes poor code throughout not just one but several
    versions of its Instant Messenger program and Ian Hopper portrays
    w00w00 as the villain.  w00w00 provides AOL with free research and
    exploit code and a week's worth of time to formulate any sort of
    response.  If AOL had responded to the advisory to say they were in
    the process of reviewing it, I could understand the outcry.  How does
    long it take to send an email stating, we received your advisory,
    someone will be contacting you with X days?  You can automate that. At
    least then AOL could have pretended they made the attempt to patch
    this quietly.
    AOL is obligated to its customers to investigate problems, which
    affect their security, not w00w00.  Matt Conover and company notified
    people that they were vulnerable and provided assistance for those
    wishing to protect themselves.  AOL did nothing of the sort of which I
    am aware.  No notification on its home page or the instant messenger
    download page were made.  AOL requires an email address to establish
    an IM account.  As Jericho pointed with Microsoft, this could be used
    to allow AOL to notify customers.
    In fact, one could be led to wonder if AOL would have said anything if
    w00w00 had gone public.  "AOL spokesman Andrew Weinstein said. 'To our
    knowledge, no users were affected by this issue prior to its
    resolution.'"  How would Andrew Weinstein know this?  We know from my
    above paragraph that AOL did not contact any users about the
    vulnerability.  How is Joe Snuffy user supposed to know that his
    computer was hacked by an IM exploit?  What Andrew should have said
    was its a good thing no one could trace hacks of machines because IM
    back to us.
    As for Matt Conover supplying exploit code, Russ Cooper needs to wake
    up. Is Matt Conover the only person capable of writing the exploit?  
    Highly unlikely.  Could Matt's program have aided script kiddies?  
    More than likely.  Could Matt's program help computer users?  Most
    assuredly.  It allows people to verify whether is advisory is correct
    (how many times have we seen advisories that are outrageously wrong or
    suffer from slight errors) and whether their systems are vulnerable
    and later whether the patch worked. Hell AOL could have used it the
    moment they received w00w00's email to prove they had a problem.  I am
    sure AOL used it test IM once they patched it.
    Thanks to those who read my little rant.  Feel free to send comments,
    criticisms, and such. 
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private]On Behalf
    Of InfoSec News
    Sent: Friday, January 04, 2002 6:04 AM
    To: isnat_private
    Subject: [ISN] Instant Messenger flaw fixed; hackers criticized for
    little warning
    By D. IAN HOPPER, Associated Press
    WASHINGTON (January 3, 2002 1:07 p.m. EST) - As AOL Time Warner
    engineers opened their presents and spent time with their families, a
    team of young hackers planned a holiday surprise: exposing a major
    security hole in one of the company's flagship programs.
    The international group released a program that turns AOL's Instant
    Messenger into a key that could unlock many home computers. Now the
    hackers are being criticized by security experts for not giving AOL
    sufficient time to react.
    The group, founded by a 19-year-old Utah college student, discovered a
    security hole in AOL's Instant Messenger program that can let a hacker
    take control of a victim's computer, the company confirmed Wednesday.
    AOL fixed the problem at its central networks Thursday.
    "The issue was resolved early this morning and was handled on the
    server side, so users do not have to download anything or take any
    other action," AOL spokesman Andrew Weinstein said. "To our knowledge,
    no users were affected by this issue prior to its resolution."
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 10:34:02 PST