modest mouse
Meating People is Easy
- Joined
- Oct 21, 2001
- Posts
- 8,363
New Hole in AOL Instant Messenger
By D. IAN HOPPER, AP Technology Writer
WASHINGTON (AP) - A security hole in AOL Time Warner's Instant
Messenger program used by millions of people worldwide can let a
hacker take full control of a victim's computer, according to security
researchers and the company.
An AOL spokesman said the problem will be fixed soon, and users
won't have to download anything.
``We have identified the issue and have developed a resolution that
should be deployed in the next day or two,'' AOL's Andrew Weinstein
said. ``To our knowledge, this issue has not affected any users.''
The problem affects the newest versions as well as many earlier
iterations of AOL's Instant Messenger program. Only the Windows
version is at risk - Instant Messenger for Macintosh (news - web sites),
Palm and other platforms are not.
Discovered by a loose team of international researchers called
'w00w00,' the hole is a ``buffer overflow,'' like the problem recently
found in Microsoft's Windows XP (news - web sites).
By sending a stream of junk messages to the program, a hacker can
overwhelm the software and make the victim's computer run any
commands the hacker wants.
``You could do just about anything, (you could) delete files on the
computer or take over the machine,'' w00w00 founder Matt Conover
said.
Conover said w00w00 has over 30 active members from 14 states and
nine countries. Until AOL's fix is released, Conover said, Instant
Messenger users should restrict incoming messages to friends on their
``Buddy List.''
``It will at least keep someone from attacking you at random,'' Conover
said, but it wouldn't help if the attack code is added to a virus that
propagates without the victim's knowledge. AOL said it has not given its
users any advice in the interim.
Conover said the group found the problem several weeks ago, but
didn't contact AOL until after Christmas. The group didn't get any
response from AOL through an e-mail during the holiday week, he said,
so w00w00 released details - and a program that takes advantage of it -
to public security mailing lists less than a week later.
The program released by w00w00 remotely shuts down a person's
Instant Messenger program, but could be modified to do more sinister
things.
That practice is under scrutiny by security professionals. While some
independent researchers argue for a ``full disclosure'' policy and say
software vendors are trying to cover up their mistakes, many companies
say users are better protected if the company has time to react.
Russ Cooper, who moderates a popular security mailing list and works
for security firm TruSecure, said Conover's actions are irresponsible.
``I think it's better to provide details of the exploit and then let other
people write the actual code,'' Cooper said. ``Unfortunately, these are
fundamentally naive people with a very childish view of the world.''
Cooper said he let Conover send the information out through his mailing list, but only did so after
noticing it was released through other channels as well.
Conover said w00w00 set a New Year's deadline for sentimental reasons, because it was the
anniversary of the group's last major security release. He defended the disclosure of the attack
program.
``This is the approach that w00w00 has historically taken to the problem,'' he said. ``For us it means
providing all the information we have available to the security community.''
AOL's Weinstein said the company would have appreciated more warning.
``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention
prior to releasing it,'' Weinstein said.
-
On the Net: AOL Instant Messenger: http://www.aim.aol.com
w00w00: http://www.w00w00.org
By D. IAN HOPPER, AP Technology Writer
WASHINGTON (AP) - A security hole in AOL Time Warner's Instant
Messenger program used by millions of people worldwide can let a
hacker take full control of a victim's computer, according to security
researchers and the company.
An AOL spokesman said the problem will be fixed soon, and users
won't have to download anything.
``We have identified the issue and have developed a resolution that
should be deployed in the next day or two,'' AOL's Andrew Weinstein
said. ``To our knowledge, this issue has not affected any users.''
The problem affects the newest versions as well as many earlier
iterations of AOL's Instant Messenger program. Only the Windows
version is at risk - Instant Messenger for Macintosh (news - web sites),
Palm and other platforms are not.
Discovered by a loose team of international researchers called
'w00w00,' the hole is a ``buffer overflow,'' like the problem recently
found in Microsoft's Windows XP (news - web sites).
By sending a stream of junk messages to the program, a hacker can
overwhelm the software and make the victim's computer run any
commands the hacker wants.
``You could do just about anything, (you could) delete files on the
computer or take over the machine,'' w00w00 founder Matt Conover
said.
Conover said w00w00 has over 30 active members from 14 states and
nine countries. Until AOL's fix is released, Conover said, Instant
Messenger users should restrict incoming messages to friends on their
``Buddy List.''
``It will at least keep someone from attacking you at random,'' Conover
said, but it wouldn't help if the attack code is added to a virus that
propagates without the victim's knowledge. AOL said it has not given its
users any advice in the interim.
Conover said the group found the problem several weeks ago, but
didn't contact AOL until after Christmas. The group didn't get any
response from AOL through an e-mail during the holiday week, he said,
so w00w00 released details - and a program that takes advantage of it -
to public security mailing lists less than a week later.
The program released by w00w00 remotely shuts down a person's
Instant Messenger program, but could be modified to do more sinister
things.
That practice is under scrutiny by security professionals. While some
independent researchers argue for a ``full disclosure'' policy and say
software vendors are trying to cover up their mistakes, many companies
say users are better protected if the company has time to react.
Russ Cooper, who moderates a popular security mailing list and works
for security firm TruSecure, said Conover's actions are irresponsible.
``I think it's better to provide details of the exploit and then let other
people write the actual code,'' Cooper said. ``Unfortunately, these are
fundamentally naive people with a very childish view of the world.''
Cooper said he let Conover send the information out through his mailing list, but only did so after
noticing it was released through other channels as well.
Conover said w00w00 set a New Year's deadline for sentimental reasons, because it was the
anniversary of the group's last major security release. He defended the disclosure of the attack
program.
``This is the approach that w00w00 has historically taken to the problem,'' he said. ``For us it means
providing all the information we have available to the security community.''
AOL's Weinstein said the company would have appreciated more warning.
``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention
prior to releasing it,'' Weinstein said.
-
On the Net: AOL Instant Messenger: http://www.aim.aol.com
w00w00: http://www.w00w00.org
