Posted on: Thursday, January 3, 2002
Instant Messenger security hole found
Advertiser News Services
America Online, the biggest Internet service, said some versions of its AOL Instant Messenger program have a security flaw that could allow users to take control of other computers and send viruses.
The problem affects the newest as well as many earlier versions of AOL's Instant Messenger program, which boasts more than 100 million users.
Only the Windows version is at risk — Instant Messenger for Macintosh, Palm and other platforms are not. America Online Internet access service customers are safe as well.
The company expects to patch the flaw on its own computers within the next two days, so consumers won't need to download a software fix, AOL spokesman Andrew Weinstein.
Weinstein said the company didn't know of anyone who had been affected by the flaw. He wouldn't elaborate on the problem.
Instant messaging is one of the most popular activities on the Internet because it allows consumers to exchange short, real-time e-mails. Such programs, offered by companies including Microsoft and Yahoo! Inc., also let people see if their friends are online.
The problem came to light when an international team released a program that turns the most popular instant-messaging program into a key that invades from the Internet to unlock many home computers.
The group, founded by a 19-year-old Utah college student, discovered the security hole. The hole, called a "buffer overflow" problem, is similar to a vulnerability recently found in Microsoft's Windows XP.
"You could do just about anything: delete files on the computer or take over the machine," said Matt Conover, founder of w00w00.
Conover said w00w00 has more than 30 active members from 14 states and nine foreign countries.
Until AOL's fix is released, Conover said, Instant Messenger users should restrict incoming messages to friends on their "Buddy Lists."
"It will at least keep someone from attacking you at random," Conover said.
But even that wouldn't help if the attack code were added to a virus that propagates without the victim's knowledge.
AOL said it has given its users no advice in the interim.
Conover, who attends Utah State University, said the group found the problem several weeks ago but didn't contact AOL until after Christmas.
The group didn't get any response from AOL to an e-mail sent during the holiday week, he said, so w00w00 released details of the flaw — and a program that takes advantage of it — to public security mailing lists less than a week later.
The program released by w00w00 remotely shuts down a user's Instant Messenger program but could be modified to do more sinister things.
That practice is under scrutiny by security professionals. While some independent researchers argue for a "full disclosure" policy and say software vendors are trying to hide their mistakes, many companies say users are better protected if companies have time to react.
"I think that's pretty dangerous," said Chris Wysopal of the security company AtStake, "especially since they pretty much acknowledged that they hadn't gotten a response back from AOL yet."
Russ Cooper, who moderates a popular security mailing list and works for the security firm TruSecure, said Conover's action is irresponsible because it helps hackers.
"I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "It lets the technical community have the information they need without letting idiots have the information they want."
Cooper said he let Conover send the information through his mailing list but did so only after noticing it had been released through other channels as well.
Conover said w00w00 set a New Year's deadline for sentimental reasons, because it was the anniversary of the group's last major security release.
He defended the disclosure of the attack program because "it means providing all the information we have available to the security community."
