New hole in AOL Instant Messenger lets hackers take over
D. Ian Hopper
Associated Press
Published Jan 3 2002
WASHINGTON -- Even AOL Time Warner, the king of the
instant message, wasn't fast enough for a team of brash young
hackers out to prove themselves.
Without waiting for the multibillion-dollar conglomerate to
return from a holiday break, an international team released a
program that turns the most popular instant-messaging
program into a key that invades from the Internet to unlock
many home computers.
The group, founded by a 19-year-old Utah college student,
discovered a security hole in AOL's Instant Messenger program
that can let a hacker take control of a victim's computer, the
company confirmed Wednesday.
An AOL spokesman said the problem will be fixed soon, and
users won't have to do anything.
``We have identified the issue and have developed a resolution
that should be deployed in the next day or two,'' AOL's
Andrew Weinstein said. ``To our knowledge, this issue has not
affected any users.''
The problem affects the newest as well as many earlier versions
of AOL's Instant Messenger program, which boasts more than
100 million users. Only the Windows version is at risk - Instant
Messenger for Macintosh, Palm and other platforms are not.
America Online Internet access service customers are safe as
well.
The hole, called a ``buffer overflow'' problem, is similar to
vulnerability recently found in Microsoft's Windows XP.
``You could do just about anything: delete files on the computer
or take over the machine,'' said Matt Conover, founder of
``w00w00.''
Conover said w00w00 has more than 30 active members from
14 states and nine foreign countries. Until AOL's fix is
released, Conover said, Instant Messenger users should restrict
incoming messages to friends on their ``Buddy Lists.''
``It will at least keep someone from attacking you at random,''
Conover said. But even that wouldn't help if the attack code
were added to a virus that propagated without the victim's
knowledge. AOL said it has given its users no advice in the
interim.
Conover, who attends Utah State University, said the group
found the problem several weeks ago but didn't contact AOL
until after Christmas. The group didn't get any response from
AOL to an e-mail sent during the holiday week, he said, so
w00w00 released details - and a program that takes advantage
of it - to public security mailing lists less than a week later.
The program released by w00w00 remotely shuts down a user's
Instant Messenger program but could be modified to do more
sinister things.
That practice is under scrutiny by security professionals. While
some independent researchers argue for a ``full disclosure''
policy and say software vendors are trying to hide their
mistakes, many companies say users are better protected if
companies have time to react.
``I think that's pretty dangerous,'' said Chris Wysopal of the
security company AtStake, ``especially since they pretty much
acknowledged that they hadn't gotten a response back from
AOL yet.''
Russ Cooper, who moderates a popular security mailing list and
works for security firm TruSecure, said Conover's actions are
irresponsible because it helps hackers.
``I think it's better to provide details of the exploit and then let
other people write the actual code,'' Cooper said. ``It lets the
technical community have the information they need without
letting idiots have the information they want.''
Cooper said he let Conover send the information out through
his mailing list but did so only after noticing it had been
released through other channels as well.
Conover said w00w00 set a New Year's deadline for
sentimental reasons, because it was the anniversary of the
group's last major security release. He defended the disclosure
of the attack program because ``it means providing all the
information we have available to the security community.''
Microsoft, which has had much experience dealing with
security researchers, has worked in recent months to develop
standards for releasing potentially destructive information.
AOL's Weinstein said the company would have appreciated
more warning.
``We'd encourage any software programmer that discovers a
vulnerability to bring it to our attention prior to releasing it,''
Weinstein said.
---
On the Net: AOL Instant Messenger: aim.aol.com
w00w00: w00w00.org
© Copyright 2002 Star Tribune. All rights reserved. |
