Forwarded from: McDonald Patrick <mcdonald_patrickat_private> Unbelievable, AOL writes poor code throughout not just one but several versions of its Instant Messenger program and Ian Hopper portrays w00w00 as the villain. w00w00 provides AOL with free research and exploit code and a week's worth of time to formulate any sort of response. If AOL had responded to the advisory to say they were in the process of reviewing it, I could understand the outcry. How does long it take to send an email stating, we received your advisory, someone will be contacting you with X days? You can automate that. At least then AOL could have pretended they made the attempt to patch this quietly. AOL is obligated to its customers to investigate problems, which affect their security, not w00w00. Matt Conover and company notified people that they were vulnerable and provided assistance for those wishing to protect themselves. AOL did nothing of the sort of which I am aware. No notification on its home page or the instant messenger download page were made. AOL requires an email address to establish an IM account. As Jericho pointed with Microsoft, this could be used to allow AOL to notify customers. In fact, one could be led to wonder if AOL would have said anything if w00w00 had gone public. "AOL spokesman Andrew Weinstein said. 'To our knowledge, no users were affected by this issue prior to its resolution.'" How would Andrew Weinstein know this? We know from my above paragraph that AOL did not contact any users about the vulnerability. How is Joe Snuffy user supposed to know that his computer was hacked by an IM exploit? What Andrew should have said was its a good thing no one could trace hacks of machines because IM back to us. As for Matt Conover supplying exploit code, Russ Cooper needs to wake up. Is Matt Conover the only person capable of writing the exploit? Highly unlikely. Could Matt's program have aided script kiddies? More than likely. Could Matt's program help computer users? Most assuredly. It allows people to verify whether is advisory is correct (how many times have we seen advisories that are outrageously wrong or suffer from slight errors) and whether their systems are vulnerable and later whether the patch worked. Hell AOL could have used it the moment they received w00w00's email to prove they had a problem. I am sure AOL used it test IM once they patched it. Thanks to those who read my little rant. Feel free to send comments, criticisms, and such. Pat -----Original Message----- From: owner-isnat_private [mailto:owner-isnat_private]On Behalf Of InfoSec News Sent: Friday, January 04, 2002 6:04 AM To: isnat_private Subject: [ISN] Instant Messenger flaw fixed; hackers criticized for little warning http://www.nandotimes.com/technology/story/209997p-2027064c.html By D. IAN HOPPER, Associated Press WASHINGTON (January 3, 2002 1:07 p.m. EST) - As AOL Time Warner engineers opened their presents and spent time with their families, a team of young hackers planned a holiday surprise: exposing a major security hole in one of the company's flagship programs. The international group released a program that turns AOL's Instant Messenger into a key that could unlock many home computers. Now the hackers are being criticized by security experts for not giving AOL sufficient time to react. The group, founded by a 19-year-old Utah college student, discovered a security hole in AOL's Instant Messenger program that can let a hacker take control of a victim's computer, the company confirmed Wednesday. AOL fixed the problem at its central networks Thursday. "The issue was resolved early this morning and was handled on the server side, so users do not have to download anything or take any other action," AOL spokesman Andrew Weinstein said. "To our knowledge, no users were affected by this issue prior to its resolution." [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 10:34:02 PST