|
[cybercrime-alerts]
||
[Date Prev]
[05-2002 Date Index]
[Date Next]
||
[Thread Prev]
[05-2002 Thread Index]
[Thread Next]
AIM vulnerability resurfaces
- From: alerts@xxxxxxxxxxx
- To: cybercrime-alerts@xxxxxxxxxxxxx
- Date: Mon, 06 May 2002 01:58:30 -0400
AIM vulnerability resurfaces
By Robert Lemos
Staff Writer, CNET News.com
May 5, 2002, 9:00 PM PT
AOL Time Warner failed to properly fix a security hole in its AOL Instant
Messenger application, leaving its users vulnerable to a new way to exploit the
same flaw, a security researcher said this weekend.
The current incarnation of the bug could have been just as dangerous as the
previous version, publicized in January, allowing malicious AIM users the
ability to execute any program on a vulnerable user's computer, said Matt
Conover, a hacker with a security research group known as "w00w00."
"This is almost identical to the problem we found originally, and that's
saddening," he said. "By using a slightly different method, we are able to get
around the filtering they used to protect against the last flaw."
Last time, the error occurred in how the "add game" command handled a request
from another user. This time, the error occurs when a malicious AIM user sends
an overly long "add external application" command to another user. Known as a
buffer overflow, the error allows an attacker to execute a program on the
victim's computer.
After being notified by w00w00, AOL Time Warner fixed the problem by, again,
applying a filter to its instant messaging servers, said Conover. Because the
fix can be done to AOL's own machines, the protection is immediate, he added.
Attempts to confirm the fix Sunday with an AOL Time Warner representative were
unsuccessful, however.
While Conover said AOL responded quickly to the flaw this time, the group still
had to use private contacts formed during the last security incident; AOL Time
Warner still does not publish a central security contact for its software.
"There is still no way to publicly contact them, which means that they haven't
learned anything from the last incident," he said.
Moreover, while AOL Time Warner's fix prevents the current hole from being used
to attack another user or to spread worms or viruses through instant message
chats, Conover worries that an online vandal may find another method that could
also elude AOL's fix.
"I definitely don't think they did enough to secure the IM client," he said.
"The responded quickly to this instance of the flaw, but if they stop there, I
think they are being lazy."
Because AOL Time Warner fixed only a specific instance of the flaw rather than
the network security problems that lead to the vulnerability, the company could
see a third strike against its instant messaging client, he said.
"All the code that requests one user to add something from another user needs
to be looked at," he said.
The statement echoes another that the w00w00 security team made in its January
1 advisory for the original flaw.
"This may be more generic and exploitable through other means, but AOL has not
released enough information about their protocol for us to be able to determine
that," the group warned.
Until AOL has taken its security to heart, Conover said he believes instant
messenger users should think about moving to a new software provider.
"We recommend that people use an IM provider that has a means to deal with
security issues, because--right now--AOL doesn't," he said.
--
This was sent to you from http://theMezz.com
To Subscribe/Unsubscribe go to http://techPolice.com
|
|
