Just to confirm I replyed to Mike about this here is what I sent him. ------------------------------------------------------------------- Sorry my mistake, I should have posted some relvant links, I also think its a high security risk. http://www.informationweek.com/story/IWK20010927S0021 Heres a snippit from the site mentioned ... " AOL/Netscape Undermines Your Browser Security Settings AOL/Netscape's abuse of browser security settings first came to my attention when reader Michael G. Baker, Jr. sent this alarming E-mail: "When a user downloads or updates AIM, free.aol.com is added to the users' IE Trusted Sites Zone. This also happens if you download Netscape6.x with integrated AIM. It is one thing for them to put that free.aol.com link everywhere when you download N6, even in IE's bookmarks, but quite another thing to mess with security settings. Although mostly harmless, it is the principle. I don't think this is right. If this was Microsoft messing with a Netscape security setting, all hell would break loose." It's true. Without so much as a by-your-leave, AOL software inserts "free.aol.com" into your IE browser's "Trusted Zone." Talk about an aggressive installation routine! The IE Trusted Zone's security permissions are intentionally relaxed. Scripts and ActiveX components can run (some with no prompting); downloads are enabled; Java safety is low; cross-domain data-sourcing is allowed; there's no alert when a site's security certificate is missing or revoked; and so on. Normally, that's OK, because the only sites in the Trusted Zone are those you put there yourself, after you decide that a site is entirely above-board. (Even so, many security-conscious users put no sites in the Trusted Zone, leaving nothing to chance or goodwill, and instead enforcing at least the "Internet Zone" restrictions on all Web sites.) By automatically placing its own site in the Trusted Zone, AOL creates a double security threat. If you (or your users) download and install Netscape 6.x, AIM, or any product with integrated AIM, not only do you have to cope with the inherent problems of an IM client itself, but you'll also have AOL set up as trusted site. That can bypass the browser security settings you've established for normal Internet connections. To me, this is clearly a very wrong thing to do. No site, from any vendor, should set itself up to bypass your normal browser security settings. (Microsoft's browser should not allow such changes to be made covertly--but IE's problems are a whole other issue.) Free.aol.com may be relatively harmless, but there's nothing to prevent a malicious site from trying to set itself up as either a trusted site on its own, or as a spoofed, malicious version of free.aol.com." Hope this helps. Christian Piper ------------------------------------------------------------- Thank You Christian Piper ----- Original Message ----- From: "Ralph Los" <RLosat_private> To: <mikedat_private>; <incidentsat_private> Sent: Tuesday, April 09, 2002 5:33 PM Subject: RE: AIM Backdoor? > Yessir, I just double-checked my newly installed WinXP Pro machine, and low > and behold - there's free.aol.com. I quickly removed it, duh, thanks for > the heads-up! I wonder how many of us will do this in the next 10 mintes? > > Happy Tuesday all, > > ----------------------------------------| > Ralph M. Los > Sr. Security Engineer and Trainer > EnterEdge Technology, L.L.C. > rlosat_private > (770) 955-9899 x.206 > ----------------------------------------| > > ::-----Original Message----- > ::From: mikedat_private [mailto:mikedat_private] > ::Sent: Monday, April 08, 2002 10:19 PM > ::To: incidentsat_private > ::Subject: AIM Backdoor? > :: > :: > :: > ::Repost attempt, dunno why it didnt go through the first time. > :: > :: > :: > ::I have had AIM installed here at work for a while. While > ::trying to repair the security zone settings on a users PC by > ::comparing them to my own, I noticed that free.aol.com had > ::been added to Internet Explorers "Trusted Sites" zone. > :: > ::If a simple minded user clicks one of the many "Free AOL and > ::Unlimited Internet" icons on their system, or one of the > ::5,800 links to this domain that google turns up, AOL can run > ::the code of their choice without prompting. > :: > ::Anyone care to verify my findings or find a CSS vulnerability > ::on free.aol.com? Does an employee of AOL care to comment? > :: > :: -Mike > :: > :: > ::-------------------------------------------------------------- > ::-------------- > ::This list is provided by the SecurityFocus ARIS analyzer > ::service. For more information on this free incident handling, > ::management > ::and tracking system please see: http://aris.securityfocus.com > :: > :: > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 14:36:07 PDT