[ISN] AIM vulnerability resurfaces

From: InfoSec News (isnat_private)
Date: Mon May 06 2002 - 00:29:57 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] Deceptive Duo in the news again"

    By Robert Lemos 
    Staff Writer, CNET News.com
    May 5, 2002, 9:00 PM PT
    AOL Time Warner failed to properly fix a security hole in its AOL
    Instant Messenger application, leaving its users vulnerable to a new
    way to exploit the same flaw, a security researcher said this weekend.
    The current incarnation of the bug could have been just as dangerous
    as the previous version, publicized in January, allowing malicious AIM
    users the ability to execute any program on a vulnerable user's
    computer, said Matt Conover, a hacker with a security research group
    known as "w00w00."
    "This is almost identical to the problem we found originally, and
    that's saddening," he said. "By using a slightly different method, we
    are able to get around the filtering they used to protect against the
    last flaw."
    Last time, the error occurred in how the "add game" command handled a
    request from another user. This time, the error occurs when a
    malicious AIM user sends an overly long "add external application"  
    command to another user. Known as a buffer overflow, the error allows
    an attacker to execute a program on the victim's computer.
    After being notified by w00w00, AOL Time Warner fixed the problem by,
    again, applying a filter to its instant messaging servers, said
    Conover. Because the fix can be done to AOL's own machines, the
    protection is immediate, he added.
    Attempts to confirm the fix Sunday with an AOL Time Warner
    representative were unsuccessful, however.
    While Conover said AOL responded quickly to the flaw this time, the
    group still had to use private contacts formed during the last
    security incident; AOL Time Warner still does not publish a central
    security contact for its software.
    "There is still no way to publicly contact them, which means that they
    haven't learned anything from the last incident," he said.
    Moreover, while AOL Time Warner's fix prevents the current hole from
    being used to attack another user or to spread worms or viruses
    through instant message chats, Conover worries that an online vandal
    may find another method that could also elude AOL's fix.
    "I definitely don't think they did enough to secure the IM client," he
    said. "The responded quickly to this instance of the flaw, but if they
    stop there, I think they are being lazy."
    Because AOL Time Warner fixed only a specific instance of the flaw
    rather than the network security problems that lead to the
    vulnerability, the company could see a third strike against its
    instant messaging client, he said.
    "All the code that requests one user to add something from another
    user needs to be looked at," he said.
    The statement echoes another that the w00w00 security team made in its
    January 1 advisory for the original flaw.
    "This may be more generic and exploitable through other means, but AOL
    has not released enough information about their protocol for us to be
    able to determine that," the group warned.
    Until AOL has taken its security to heart, Conover said he believes
    instant messenger users should think about moving to a new software
    "We recommend that people use an IM provider that has a means to deal
    with security issues, because--right now--AOL doesn't," he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon May 06 2002 - 04:01:33 PDT