[ISN] AOL's AIM Puts Browser Security in Danger

From: InfoSec News (isnat_private)
Date: Tue Apr 23 2002 - 22:50:02 PDT

  • Next message: InfoSec News: "[ISN] New "Klez" still clobbering PC users"

    By Bob Woods 
    April 23, 2002 
    Attention AOL AIM users -- you've got a pushy program.
    The installation process of AIM on a PC covertly forces Microsoft
    Internet Explorer (IE) browsers to accept "Welcome to America Online"  
    at free.aol.com as a "Trusted site," according to an article in
    Security Wire Digest.
    Automatically designating the free.aol.com site as a Trusted site
    allows AOL to install cookies and even run code on a user's PC without
    their knowledge. A Web site in Internet Explorer's Trusted sites zone
    contain "sites you believe you can download or run files from without
    worrying about damage to your computer or data," according to the IE's
    Help file on Trusted zones. "The default security level for the
    Trusted sites zone is Low, therefore, Internet Explorer will allow all
    cookies from Web sites in this zone to be saved on your computer and
    read by the Web site that created them."
    What's more, when a Web site is in the trusted zone, the user is not
    alerted when a cookie or file is downloaded to a user's PC.
    InstantMessagingPlanet confirmed the compromise on one of our own PCs.
    Rich Mogull, a senior analyst at Gartner Group's Gartner G2's growth
    strategies practice, says AOL's action violated all three elements of
    trust: intent (the desire to operate within the boundaries of an
    agreement), capability (the ability to fulfill the intent) and
    communication (the ability to instill belief in these abilities within
    the consumer/business partner).
    "Businesses that allow the use of AOL Instant Messenger are also
    forced to trust AOL servers, despite whatever security and privacy
    settings (those businesses) have in place," Mogull said. "By forcing
    browsers to trust AOL, it violates the boundaries of the users'
    understanding of the relationship ... By making these changes without
    notifying the user, AOL has failed to communicate either intent or
    AOL's practice is particularly troubling, Mogull said, since it is
    vulnerable to an insidious and well-known cyber attack known as
    "cross-site scripting," which allows an attacker to inject malicious
    code onto a system by hiding it as legitimate code from free.aol.com.
    GartnerG2 (and InstantMessagingPlanet) recommends that companies
    carefully evaluate their policies on employee use of downloaded
    software and services. They should also employ security mechanisms to
    limit the damage that unapproved trust relationships may cause. And a
    company's IT staff should evaluate terms and conditions for any free
    or commercial off-the-shelf software used within the enterprise.
    Also, AOL's action can be undone directly from the IE browser. To
    start the process, a user should go to the Tools menu and select
    "Internet Options." By clicking on the "Security" tab, highlighting
    "Trusted sites" and then clicking on the "Sites" button, a list of
    Trusted sites appears. Highlighting the "free.aol.com" site and
    clicking "Delete" rids the browser and the user's PC of the security
    AOL officials were not immediately available for comment on this
    Security Wire Digest also reported earlier this month that a new
    IM-based worm is gaining ground by offering "free porn." The worm,
    which the publication called "low-risk," is spread by both AIM and IRC
    clients, is called W32.Aphex@mm or W32.Aplore@mm. It spreads in the
    chat window area by a hyperlink that consists of a single period with
    an attachment named psecure20x-cgi-install.version6.01.bin.hx.com.
    If a user runs the program it drops a Visual Basic (.vbs) script and
    then uses standard techniques to mass-mail itself to all addresses in
    the user's Microsoft Outlook address book. The worm also connects to
    some IRC channels and attempts to infect IRC users. Blocking .com
    attachments in a user's IM client can help mitigate the risk, and the
    worm doesn't carry a destructive payload.
    Bob Woods is the managing editor of InstantMessagingPlanet.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 01:54:26 PDT