Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Watch Out! Big time security hole in AOL instant Messenger

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Watch Out! Big time security hole in AOL instant Messenger

Old 01-02-02, 09:34 PM
  #1  
DVD Talk Hall of Fame
Thread Starter
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
Likes: 0
Received 0 Likes on 0 Posts
Watch Out! Big time security hole in AOL instant Messenger

Wednesday January 2 3:39 PM ET
New Hole in AOL Instant Messenger
By D. IAN HOPPER, AP Technology Writer

WASHINGTON (AP) - A security hole in AOL Time Warner's Instant Messenger program used by millions of people worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.

An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.

``We have identified the issue and have developed a resolution that should be deployed in the next day or two,'' AOL's Andrew Weinstein said. ``To our knowledge, this issue has not affected any users.''

The problem affects the newest versions as well as many earlier iterations of AOL's Instant Messenger program. Only the Windows version is at risk - Instant Messenger for Macintosh (news - web sites), Palm and other platforms are not.

Discovered by a loose team of international researchers called 'w00w00,' the hole is a ``buffer overflow,'' like the problem recently found in Microsoft's Windows XP (news - web sites).

By sending a stream of junk messages to the program, a hacker can overwhelm the software and make the victim's computer run any commands the hacker wants.

``You could do just about anything, (you could) delete files on the computer or take over the machine,'' w00w00 founder Matt Conover said.

Conover said w00w00 has over 30 active members from 14 states and nine countries. Until AOL's fix is released, Conover said, Instant Messenger users should restrict incoming messages to friends on their ``Buddy List.''

``It will at least keep someone from attacking you at random,'' Conover said, but it wouldn't help if the attack code is added to a virus that propagates without the victim's knowledge. AOL said it has not given its users any advice in the interim.

Conover said the group found the problem several weeks ago, but didn't contact AOL until after Christmas. The group didn't get any response from AOL through an e-mail during the holiday week, he said, so w00w00 released details - and a program that takes advantage of it - to public security mailing lists less than a week later.

The program released by w00w00 remotely shuts down a person's Instant Messenger program, but could be modified to do more sinister things.

That practice is under scrutiny by security professionals. While some independent researchers argue for a ``full disclosure'' policy and say software vendors are trying to cover up their mistakes, many companies say users are better protected if the company has time to react.

Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible.

``I think it's better to provide details of the exploit and then let other people write the actual code,'' Cooper said. ``Unfortunately, these are fundamentally naive people with a very childish view of the world.''

Cooper said he let Conover send the information out through his mailing list, but only did so after noticing it was released through other channels as well.

Conover said w00w00 set a New Year's deadline for sentimental reasons, because it was the anniversary of the group's last major security release. He defended the disclosure of the attack program.

``This is the approach that w00w00 has historically taken to the problem,'' he said. ``For us it means providing all the information we have available to the security community.''

AOL's Weinstein said the company would have appreciated more warning.

``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,'' Weinstein said.

------------------------------------------------------------------------------------------------------

Anybody Wanna IM me?

Just wanna give everybody a heads up.

Link here
Old 01-02-02, 09:38 PM
  #2  
DVD Talk Hall of Fame
 
Join Date: Oct 2000
Location: The Sports and Pr0n Forum
Posts: 7,811
Likes: 0
Received 0 Likes on 0 Posts
from what i heard this is ONLY if you use the gaming feature through AIM
Old 01-02-02, 09:42 PM
  #3  
DVD Talk Hall of Fame
Thread Starter
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by Virus
from what i heard this is ONLY if you use the gaming feature through AIM
Well statements like this make me wonder: "Until AOL's fix is released, Conover said, Instant Messenger users should restrict incoming messages to friends on their ``Buddy List.'' "
Old 01-02-02, 09:45 PM
  #4  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,706
Likes: 0
Received 0 Likes on 0 Posts
glad I use trillian

Last edited by mikehunt; 01-02-02 at 09:51 PM.
Old 01-02-02, 09:45 PM
  #5  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,764
Likes: 0
Received 4 Likes on 3 Posts
http://www.dvdtalk.com/forum/showthr...hreadid=170890
Old 01-02-02, 09:47 PM
  #6  
DVD Talk God
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,497
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by mikehunt
glad I use trilllian
Old 01-02-02, 09:56 PM
  #7  
DVD Talk Legend
 
Join Date: Feb 2001
Posts: 14,812
Likes: 0
Received 0 Likes on 0 Posts
Hmmm...maybe it's time to use Trillian again. Do they incorporate AIM's chat feature now?
Old 01-02-02, 09:59 PM
  #8  
DVD Talk Special Edition
 
Join Date: Nov 2000
Location: Huh? Wha?
Posts: 1,251
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by criptik28
Hmmm...maybe it's time to use Trillian again. Do they incorporate AIM's chat feature now?
Yes they do
Old 01-03-02, 09:18 AM
  #9  
Mod Emeritus
 
Join Date: Feb 1999
Location: Central Vermont
Posts: 3,883
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by mikehunt
glad I use trillian
ditto

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.