Are you an AOL IM user? EEEK!!!

HOOP-T · Jan 3, 2002

http://www.cnn.com/2002/TECH/ptech/01/02/aol.security/index.html

Security hole found in AOL Instant Messenger
January 2, 2002 Posted: 6:58 PM EST (2358 GMT)

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

RESTON, Virginia (CNN) -- AOL Time Warner's popular AOL Instant Messenger has a security flaw that could enable a hacker to invade a user's computer and wreak havoc on the system, the company and a security group said Wednesday.

AOL spokesman Andrew Weinstein said there have been no indications that hackers have exploited the flaw, which should be fixed by Thursday or Friday. AOL Time Warner is the parent company of CNN.com

"This is more of a theoretical issue because we don't believe this has actually occurred," Weinstein said. "We have developed a resolution, and it should be deployed in a day or two."

He described the fix as a "server-side resolution" that AOL would repair itself, so "users won't have to do anything" to fix the problem.

The problem has to do with a new feature that allows users to play online games with each other. The security flaw appears only in its most recent Windows version of AIM, 4.7, Weinstein said.

The group that discovered the flaw says it dates back to at least the 4.3 version. The group, w00w00, is a nonprofit security organization that has members in nine countries, including Russia, the United States and Australia.

Non-Windows versions are not affected by the problem.

Until AOL fixes the problem, w00w00 recommends users restrict incoming messages to friends on their "Buddy List." A user can do this by going to "Your Preferences." In the "Privacy" section, click "Allow Only Users on My Buddy List" under "Who Can Contact Me," the security group said.

Not taking such an action would leave the program vulnerable to a worm or virus similar to Melissa, ILOVEYOU and Code Red, which have caused problems in computers worldwide.

The flaw is "relatively simple to exploit."

"The implications of this vulnerability are huge and leave the door wide open for a worm," w00w00 said in a statement on its Web site. "This vulnerability will allow remote penetration of the victim's system without any indication as to who performed the attack. There is no opportunity to refuse the request."

AIM has more than 100 million users on its various versions.

Space Ghost · Jan 3, 2002

Originally posted by HOOP-T
http://www.cnn.com/2002/TECH/ptech/01/02/aol.security/index.html
AOL spokesman Andrew Weinstein said there have been no indications that hackers have exploited the flaw, which should be fixed by Thursday or Friday.
Click to expand...

haha!! what a joke!

"Good" hackers notify AOL/AIM of a security issue. If they don't proceed to fix the problem, then they make the exploit public on forums. If they still do not fix it, then they notify the media.

I don't know the exact details on this one, but it sounds like (and old one) a problem with the buddy icon. You could crash a computer by making your buddy icon a large garbage file. (Buffer Overrun). In the buffer overrun, the virus/backdoor/whatever would be ran. Disabling buddy icons should prevent the problem.

Behad · Jan 3, 2002

Let me get this straight...the flaw which can allow access is announce before the repair is ready?

Doesn't this just give hackers notice to exploit the flaw before the fix is implemented?

Space Ghost · Jan 3, 2002

The hackers already know. They are just feeding you a line of bull****.

AOL doesn't like fixing AIM products because they are "free" and they get no revenue from it. The only way to get it fixed is to release it via public news to give AOL bad publicity.

Forums

Are you an AOL IM user? EEEK!!!

HOOP-T Member

Space Ghost Member

Behad Member

Space Ghost Member

Share This Page

About ClutchFans

Rockets Content

Support ClutchFans!