Slashdot Mirror
AOL Instant Messenger Remote Hole
The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."
Hmm, does this vulnerability affect linux clones, too? Of course, no person in their right mind would run gaim as root....
But if you're running gaim...
Moderation: Put your hand inside the puppet head!
We recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz) to protect yourselves. A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me."
...and now everyone has your mail!
Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.
Since we all know the holes won't stop here, anyone who wishes to further investigate problems can start their research here and here.
...only windows machines. get your facts straight.
This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.
Wasn't AOL warned about this sort of stuff over a year ago?
I remember someone at Microsoft saying that AIM and ICQ had some serious unchecked buffer problems. Something to do with why Microsoft wouldn't update MSN Messenger to work with AIM anymore.
(I might be wrong on this, anyone have info?)
...but how many people are going to take it seriously, coming from an organization named "w00w00?" I would imagine that the vast majority of AOL users will just roll their eyes and dismiss this as skript kiddie propaganda. Why can't people grow up and choose mature names for their teams, such as "Security Labs" or "Internet Safety Organization?" These names took a grand total of 10 seconds to think up and are a hell of a lot more authoritative than "w00-frickin-w00." Jesus.
AOL Instant Messenger overflow
X X] victim screen name
4 5\ x53\x54\x00\x00]
r =t rue&url=http://www.w00w00.org"]
2 2\ x44\x45\x53
w00w00! http://www.w00w00.org
Author: Matt Conover (shok@dataforce.net)
Contributors: nocarrier, napster, and w00w00 collectively
PRELUDE
Happy w00year! It has been a while, friends, but w00w00 is still going
strong! w00w00 is over three years old now and still boasts the title
of the world's largest non-profit security team. One thing remains
true about the world of w00w00, though: we love to shake things up.
We'd like to take a moment and make an important point. Due to
unfortunate circumstances, the environment of the security industry
has changed for the worse. Most major vendors and security companies
have all switched their policies to limited disclosure, leaving the
end users still vulnerable to serious software flaws. Big corporate
monopolists: 1, end-users cornered into using second-rate software: 0.
Why? Two big reasons: the DMCA and using patriotism as an excuse to
avoid disclosing vulnerabilities.
First, the Digital Millenium Copyright Act affects circumvention of
anti-piracy mechanisms and reverse engineering. If a product is
released in binary form only (i.e., AOL Instant Messenger) to
protect its technologies and one attempts to reverse engineer the
file, it's a violation of the DMCA. Find out more information about
the DMCA at http://www.anti-dcma.org.
Second, Microsoft has "decried" information anarchy. Many major
security companies have followed suit and the rest just bent to the
pressure. However, blaming security research teams, such as w00w00,
for releasing information on vulnerabilities is a cop-out. Whether or
not security research teams release information on vulnerabilities, it
doesn't change the fact that the vendor produced insecure software.
Vulnerabilities are still exploited in the same way they were by the
Internet Worm 13 years ago. Further, one can reasonably assume that a
fair number of hackers are exploiting unpublished vulnerabilities.
By only silently updating products, computer users are unknowingly left
vulnerable.
DESCRIPTION
AOL Instant Messenger (AIM) has a major security vulnerability in the
latest stable (4.7.2480) and beta (4.8.2616) Windows versions. This
vulnerability will allow remote penetration of the victim's system
without any indication as to who performed the attack. There is no
opportunity to refuse the request. This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.
This particular vulnerability results from an overflow in the code
that parses a game request. The actual overflow appears to be in the
parsing of TLV type 0x2711. This may be more generic and exploitable
through other means, but AOL has not released enough information about
their protocol for us to be able to determine that. Robbie Saunder's
email yesterday should be enough of a hint which direction to look in.
We recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz)
to protect yourselves. A temporary solution is to go into your
Preferences and in the Privacy section click "Allow Only Users on My
Buddy List" under "Who can contact me."
UPDATE: AOL will be fixing this in the server side within a day or two.
IMPLICATIONS
AOL Instant Messenger (http://www.aim.com) has over 100 million users.
The implications of this vulnerability are huge and leave the door wide
open for a worm not unlike those that Microsoft (*cough* corporate
monopoly *cough*) Outlook, IIS, et al. have all had (Melissa, ILOVEYOU,
CodeRed, nimda, etc.). An exploit could easily be amended to download
itself off the web, determine the buddies of the victim, and then
attack them also. Given the general nature of social networks and how
they are structured, we predict that it wouldn't take long for such an
attack to propagate.
To top everything off, the particular overflow described supra is
relatively simple to exploit. The payload can be several thousand bytes
long, which leaves lots of room for creative shellcode. In addition,
the shellcode can have null bytes in it, as long as the shellcode is
located after the offset to EIP in the shellcode. That is, the offset
to EIP is 1723 bytes into TLV type 0x2711. So if the shellcode is
located after offset 1726, null bytes can be left in.
EXPLOIT
The exploit, w00aimexp, is too big (1000+ lines) to include here, but
it can be downloaded at http://www.w00w00.org/files/w00aimexp.tgz. The
files can be viewed online at http://www.w00w00.org/files/w00aimexp/.
This is the exploit packet generated by w00aimexp (without
USE_FULL_SIZE defined):
FLAP header (6 bytes)
[\x2a] '*' (magic number)
[\x02] channel (data)
[\x00\x11] seqnum number
[\x07\x87] packet length (1927 bytes)
SNAC header (10 bytes)
[\x00\x04] SNAC family (message)
[\x00\x06] SNAC type (outgoing message)
[\x00\x00] SNAC flags (none)
[\x00\x00\x00\x09] SNAC ID
[\xa4\x98\xa3\x56\x54\xbf\xf2\xfd] cookie
[\x00\x02] SNAC channel (data)
[\x0c] victim screen name length
[\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX\xXX\x
Now a set of TLV data types. There is a base container, type 0x05,
that contains everything else. Inside of this are several smaller
containers, with each TLV type following immediately after the
previous. If those are misaligned, you'll receive a "busted SNAC
payload" error.
[\x00\x05] TLV type (0x05)
[\x07\x62] TLV length (1890 bytes)
[\x00\x00] cookie marker
[\xa4\x98\xa3\x56\x54\xbf\xf2\xfd] cookie
Capability used to exploit this libfaim calls it (SAVESTOCKS):
[\x09\x46\x13\x47\x4c\x7f\x11\xd1\x82\x22\x44\x
[\x00\x0a] TLV type (0x0a)
[\x00\x02] TLV length (2 bytes)
[\x00\x01] TLV data
[\x00\x0f] TLV type (0x0f)
[\x00\x00] TLV length (0)
[\x00\x0e] TLV type (0x0e)
[\x00\x02] TLV length (2 bytes)
["en"] TLV data (language)
[\x00\x0d] TLV type (0x0d)
[\x00\x08] TLV length (8 bytes)
["us-ascii"] TLV data (charset)
[\x00\x0c] TLV type (0x0d)
[\x00\x06] TLV length (6 bytes)
["w00w00"] TLV data (game's name?)
[\x00\x03] TLV type (0x03)
[\x00\x04] TLV length (4 bytes)
[\x40\xa3\x1e\x4f]
[\x00\x05] TLV type (0x05)
[\x00\x02] TLV length (2 byte)
[\x14\x46]
[\x00\x07] TLV type (0x07)
[\x00\x4d] TLV length (77 bytes)
["aim:AddGame?name=w00w00&go1st=true&multiplaye
[\x27\x11] TLV type (0x2711)
[\x06\xbf] TLV length (22 + length of our shellcode = 1727 bytes)
[\x00\x00\x02\x00\x05\x07\x4c\x7f\x11\xd1\x82\x
\x54\x00\x00\x00\x0b\x00\x09 + shellcode starts here]
The guy spends most of his time bashing the DMCA and how hard it makes to offer patches to this sort of thing without AOL's permission:
From the NTBugtraq letter:
First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
The non-profit security team w00w00.org...
Translating...
The juvenile h4x0r kiddies at w00w00.org...
uncovering a serious flaw in AOL's Instant Messenger protocol
Translating...
illegally reverse-engineered a crack into AOL's IM protocol
I can't believe that Slashdot is propogating this crap. This stuff is not something we want to get out to the public! Yes, these crackers found a hole in AOL. The problem is server-side and will be fixed in a few days. In the mean time, Slashdot has just propogated this information (and the crack) to millions of people worldwide.
I don't know about you, but that sounds pretty irresponsible to me.
http://www.w00w00.org/advisories/aim.html is a better link.
Hey, if you guys want open-source IM, check out http://www.jabber.org The server is open-source and it's a distributed XML-based network. Lots of different, cool clients too. JabberIM for Windows, and Gabber for Linux are the most mature ones though. There are bridges to the AIM and ICQ networks available on some servers, but the ones on Jabber.org have been blocked by AOL... nice huh?
Beat me to it! I was just gonna submit this. There is a nice article on the Washington Posthttp about this. What bewilders me is that AOL claims that "the problem will be fixed soon, and users won't have to download anything." I have no idea how they can fix this server-side, or is that just a sly way of saying "we're gonna flag AIM and tell it to bring up one of those annoying dialog boxes that says 'There is a new version of AIM available (4.5.87.3413.321.4342)! Go download it now!'" Anyway, I'm logging off AIM now... unlike the XP UPnP flaw, the firewall can't help me here...
I stopped using ICQ years ago because it was so script-kiddie friendly and AIM not long after. I'm quite happy using Jabber with a gateway to Yahoo Messenger, thankyouverymuch.
this is getting old and so are you
blog
The abstract for the article is in error: it reads, "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol... This flaw can enable remote users to execute code on any machine logged into the AOL IM service.". The flaw isn't in the protocol itself but in the client, and therefore doesn't actually affect "any machine logged into the AOL IM service". It sounds like AOL is going to prevent the sending of exploit packets at the server level to avoid requesting all of their Windows users to upgrade, but those of us using Linux or another OS should be fine regardless.
Love justice; desire mercy.
That is the same link from the article you fool...
ALWAYS, if the protocol isn't openly documented and severely tested over a communications line for security it is insecure.
I recommend the majority of people I deal with use jabber (this is not some plug for jabber; it's just at the end of the day, it's more secure and yet accomplishes the same goal AIM etc etc have)
If you are using AIM, do yourself a favor a pickup a jabber client, you won't be sorry.
How about the "you got mail" dude do one that says "j00 g0t 0wN3D"!
One of Many Instant Messenger Exploits (MIME for short), I'm sure.
{if you are going to assinate a Mime, would you use a silencer?}
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
The problem is in the implementation, not in the protocol. If it were in the protocol, that would make all clients at risk. As it is, only the official Windows client is vulnerable, because it implements game requests without checking for buffer overflow. I really don't understand why people still write code this way -- buffer overflows are so easy to prevent.
Somewhat (but only somewhat) offtopic: why on earth doesn't ./ at leas browse through the links they post? It's not like they don't have the manpower. If they'd even looked at the article, they'd have caught this...
Slashdot just linked to the story; they didn't originate it. They would've had no way to report the information (at least not in Slashdot's usual manner) without pointing people to the actual discoverer of the problem, unless AOL has an article on it somewhere.
It is very irresponsible of the original writer to post an explicit method to exploit the crack, however. At least there's one redeeming feature: the article also tells readers how to protect themselves from the crack by altering their preferences, and also that AOL is fixing the problem server-side.
The crack was/is already out there, for people who enjoy using that sort of thing. Don't blame this site for pointing people to it just because Slashdot has a higher readership.
I don't understand the concern.
AIM and MSN Messenger ARE the security hole. Anything running on a PC which keeps a port open is a major security risk. Connections should not use any sort of "keep alive" to unknown remote hosts.
And just giving an application to "feature" to accept all inbound connections has to be the worst idea any service provider ever had. I'm just surprised more attacks haven't been made on the IM applications.
It's likely because of all of today's Elite Haxor types know very little about the fundamentals of IP. I bet the guys at Phrack already knew about this and many other "holes" in the IM protocols.
"You are not a beautiful and unique snowflake."...Tyler Durden
How long till someone scripts up a nice "code red/nimda" self propagating malware that runs rampant across the internet using this new flaw?
If so... it is going to be even worse.. It was next to impossible to get all the IIS servers on the net updated. Imagine updating every AIM client.
AOL is deeply committed to your security. We use state-of-the-art technology to keep your personal information as secure as possible. We also have put in place privacy protection control systems designed to ensure that the personal data you share with AOL is safe and private. In addition, AOL keeps your password strictly confidential, and all authentication for the Service is performed on AOL's secure servers. Sites participating in the Service may not collect or store AOL password information.
From this site.
Light cup, beer drink, thin so chain, neck turtle fat, man I won't say it again
I had to stop using both ICQ and AIM because my box was swamped with "wanna have hot sex" crap.
Well sure, AOL has this little tiny hole. But atleast it isn't as bad as that Passport thing that MSN refuses to fix.
I can't spell or type, but that doesn't mean I'm unusually stupid.
I've recently started using trillian (www.trillian.cc) for all my IMing needs... (yes, it does connect to the AIM server, among others such as MSN messenger, yahoo, and ICQ) I'm assuming it probably doesn't have this flaw, which is obviously a nice feature. And as far as I know, it's the only really solid alternative to a) having a billion separate IM programs b) using hated AOL software.
Once upon a time...
Or at least they were the first to have this bug uncovered.
On a serious note, is it being ultra-paranoid to think that maybe these companies are including these holes intentionally? To me it seems like a pretty huge mistake to allow a random person to take over control of a computer remotely, not just a small oversight. AOL and MS aren't exactly angels, and maybe I've been watching too many movies, but this seems like something they put in by design in order to spy on certain individuals for stealing code, deleting components of non-MS software so it won't work, etc.
~ now you know
well, here's yet another reason to be using TOC (as opposed to Oscar, the newer of the two AIM protocols.) TOC is/was an open protocol, and i've had very little problem with it. admittedly, it doesn't have all the "features" that Oscar has, but if all you want is chat, and you don't care a whole lot about file transfers, et al. TOC is more than sufficient. plus, unlike Oscar, AOL doesn't seem to arbitrarily change the protocol. And it seems to be more stable, server-side. I've had countless instances of hearing the dispaired cries of "AIM is down" from throughout my dorm without having a problem. TOC goes down occasionally, but not nearly as much, from my experience.
as for clients, i recommend Gaim for Linux. You can select the TOC protocol in the Account Editor window.
<asbestos>yes, i know there's a million things that Oscar can do that TOC can't. but I don't care. TOC just works better from my experience, especially when clients have to release new versions to work around AOL changing the Oscar protocol slightly in order to screw over MS.</asbestos>
#define F(x) int main(){printf(#x,10,#x);}
F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
I tried Jabber hoping to get away from banner-ridden icq. But it was unpolished, crashed, and loss connections frequently (I ran the windows version). I recently came upon a better option: http://www.trillian.org Very smooth and polished -- and you don't have to get a "Trillian" IM account just to use it (jabber requires you to obtain a "Jabber" IM account)
It came down off Bugtraq at about 9AM this morning. Everyone already knew about it. And, unless you're one of those security-through-obscurity people, you should have no problem with this kind of thing. (It's not like they wouldn't be available to people otherwise...)
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I did a little search on usenet. It revealed what to block for any firewall admins out there. Does anyone have better information? We tested the blocking, but had a few problems. The client keeps finding ways to connect.
From: Charles Newman (newmanc6619 @ softhome.net)
Subject: Re: block AOL instant messenger
Newsgroups: comp.security.firewalls
Date: 2001-10-28 12:16:00 PST
That is not enough. It could still be access through an open proxy, on
ports 23, 1080, 8000, or 12001. You need to also route stuff through a
SOCKS proxy, and have your proxy block out the following ranges of
IP addresses, and that should stop AOL instant messenger
205.187.7.*
205.187.8.*
64.12.24.*
64.12.25.*
152.163.241.*
I am about to make my impentrable filtering system even better, by
putting in a second computer, that works as a firewall and proxy server, and
running either XP or 2000. Since all the filtering is done at the server
level, instead of at the client level, there is no POSSIBLE way that my
"home-brew" system could be compromised. Windows 2000 and Windows
XP have security that cannot POSSIBLY be penetrated, and since everything
runs in "stealth" mode, there is no POSSIBLE way someone could be able
to figure out how to circumvent my NEW AND IMPROVED "home brew"
system I am about to build. Basically, all the blocking software on my
computer now, would be transferred to another computer, which would act
as a proxy server and firewall.
Windows XP and 2000 have security that even the most computer saavy
youngster could not defeat. As I have mentioned before, I have had problems
inthe past with housekeepers who bring kids with them, and said kids having
tried to access my computer.
Even the best hackers in the world would not be able to get through
thekind of "home brew" filtering system I am planning right now. As the old
addage goes, "What cannot be seen cannot be hacked". Since XP works like 2000,
it will put an END to virtually nearly all computer viruses. Every virus out
there runs on either DOS, or Windows 9x. Windows NT/XP/2000 has
security a virus could not get through. That is why UNIX is still used in
some
places, UNIX is not vulnerable to viruses, like DOS and Win9X are.
Server-based filtering cannot be circumvented, if requests to ports
80,1080,3128, and 8080 are blocked. They block 99.9 percent of all the
known open proxy servers in the world. The ONLY way you can POSSIBLY
circumvent a served-based filtering system is to use an outside proxy
server.
That is why served based filtering has become more popular. Server-based
solutions are 100 PERCENT *IMPOSSIBLE* to circumvent. Also, as I
have just said, Windows XP and 2000 cannot be hacked, becuase of the
security measures in place on those two operatingh systems.
Brian Schenkenberger, VAXman-
I want to block AOL Instant Messenger what port does it use? How Can I Block
It?
>
> I recall seeing the port number when my daughter was IMing her "buddies".
>
> http://www.iana.org/assignments/port-numbers lists several numbers as AOL
> port numbers.
>
> aol 5190/tcp America-Online
> aol 5190/udp America-Online
> aol-1 5191/tcp AmericaOnline1
> aol-1 5191/udp AmericaOnline1
> aol-2 5192/tcp AmericaOnline2
> aol-2 5192/udp AmericaOnline2
> aol-3 5193/tcp AmericaOnline3
> aol-3 5193/udp AmericaOnline3
>
> I'm pretty sure that I saw the 5190 in use when my daughter was IMing.
I'm actually really surprised that holes haven't been already found in these toys.
Change that annoying incomming Email .wav file...
"You've got nailed"
--- Metamoderating abusive downgraders since my 300th post.
Wish I had some mod points. I've never heard of trillian before but I'm going to try it out!
~ now you know
I use trillian on my Windows 2k machine, it supports AIM, Yahoo, MSN, ICQ and IRC communications. Wonder if they too are exploitable by this.
thanks! I love being a whore... Actually, I didn't see the link... oops. Posting anonymous... to save my precious karma...
This has got the best PR response I've ever seen to one of these holes:
From the Washington Post Story
A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.
An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.
Great idea! Why make the user download and test a patch? We can just use this hole that gives us full control of a vitim's computer...
Viv
Gmail invites for ip
I tried looking through all the files to get an understanding of this but it is way beyond me. Those guys are too l33t I guess.
The most understanding I could get was that you were supposed to write up your own C code to 0wn the victim, and insert it into the w00aimexp.c source file, compile, and then when you run the exploit it will cause that C code to be run on the victim's computer. Am I right? I gotta learn to program sometime.
Tim
Omnia vestra castrorum habetur nobis.
I hope this get moded as "funny" or "I didn't read the article and I'm simply replying because I hate everything that's not linux". This article shows that AOL intends to fix the problem on the server-side.
aol said they would make a server side fix, but what about direct connections?
aim has a feature where you can directly connect to another buddy ip to ip, to send messages, pictures, sounds, whatever...
server side fixes don't help the people that bypass the server.
Runnin' On Empty
Another example of why viri/worms/etc should include the OS they apply to i.e. The Windows/AIM vulnerability or the Microsoft/AIM vulnerability or the Microsoft Code Red virus. You get the idea. Eventually even MSCE would get the idea that the majority of the security problems are associated with a particular operating system.
"The non-profit security team w00w00.org..."
Oh, so the 1337 are going the non-profit route? Nice to see that they are going somewhat legit here, but are we going to see mass-defacement support drives once a month looking for donations, a la PBS? Are they going to only release their best exploits during these fund drives? And how much do I have to donate to get reach the benefactor level where I get the "Bill Gates unrestricted Amex card" number as a gift of thanks?
More importantly, did Microsoft "give generously" during the "Here's how to hack AIM" episode of "Sesame Street"?
"Today's Sesame Street was brought to you by the letters M, S, N, and the number 1."
Pssst... that's a joke ;-)
I dont how often exploits are found in AIM, but I haven't heard of too many.
Now are we really going to bash AIM and compare it to outlook or IIS because of this? The tone seems to be "uh oh.. AIM is now just like outlook, i better sign off and use a third party client"
When linux exploits are announced the tone seems to be more forgiving. Unfair?
what is nailchipper?
Microsoft systems are hackable? I'm shocked!!!
I'd love to see an I-Worm do this! It could scan for words like "Confidential", "payroll", "affair", "fired" and send e-mails to random people with copies of the message.
Marriages would be broken.
Important MS memos would be leaked.
VPs with high salaries would be exposed.
Oh, if I had the balls to write such things...
Zodiac Survey
Why not? Don't you use any?
[*duck*]
hawk, who bought the last pair of quality microsoft products: word 5.1 and excel 4
Anything AOL is like The Teletubbies...
Including their IM....it's kiddie time once again...
I think it's as funny as hell, that they're little IM is vunerable...
AOL is nothing but a G thang....and that G doesn't stand for GOOD!
"Look where we worship" -- Jim Morrison
rooooar
Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.
It's already like this. Just look at the government we have now: One which is more worried about banning abortion to produce more babies, instead of enforcing better (and cheaper) birth control. One which is more worried about protecting ourselves from ourselves (read: victimless crimes), instead of letting us learn from our mistakes (or letting evolution sort it out). One which is more worried about getting elected the next term and getting in the pockets of lobbists, instead of passing laws that the people really need.
Just look at our idiotic voters. They are the mediorce masses. They are the ones just smart enough to be useful, but not smart enough to see that they've been screwed. They are the proles [1984], and the future is NOT with them.
Zodiac Survey
That's proven quite useful to me. Right now I'm connected to AIM, ICQ and MSN via Gabber. It's an open protocol (massively verbose XML strings are about as open as it gets...), and because the IM system gating is done at the server the protocol is also simple, as are, by extension, the clients.
Granted the server transports sometimes go down, though I use theoretic.com's server which has been doing a sterling job so far. Now if I could just figure out how to go on IRC from this thing....
Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."
Hmm. Anyone else sense a little hostility from the for-profit security industry...?
-------------------
This is my SIG. There are many like it, but this one is mine.
The lead in to the article says that the problem is a bug in the protocol. From reading the announcement, it sounds like it is really a bug in the implementation of the OSCAR protocol in the AOL released clients. It doesn't sound like it's an inherent flaw in the protocol itself. Also, to talk about the AIM protocol is somewhat non-specific seeing as TOC is technically an AIM protocol as well and it doesn't sound like this has anything to do with that.
This sig has been temporarily disconnected or is no longer in service
Eg Europe, where reverse engineering is explicitly legal regardless of any terms and conditions the software vendor may seek to impose.
Tested vulnerable back to 4.3 (earliest one available to test). Vulnerability of versions 4.3 is not known; assume that ALL VERSIONS of AIM are vulnerable. (At least if you believe the fine people on Bugtraq).
D'oh.
-30-
I'm fairly sure the JAVA version of the AIM client is up to date with the newest bells and whistles. So I doubt the AIM Express client is vulnerable. I'd just use that in the mean time.
For the lazy: AIM Express
( Yeah I know, I posted this to the wrong thread origanally. : ( )
I've recently started using trillian (www.trillian.cc [trillian.cc]) for all my IMing needs
Trillian is a Windows app, but it apparently works under Wine.
Will I retire or break 10K?
You can turn that annoying AIM Today window off rather easily; in fact, its always the first thing I do after setting up AIM anywhere.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
I have stopped using most of the Instant messagers except Odigo now. I like the see others in the website feature and the fact that you have all the others integrated as well is a plus.
http://www.odigo.com
Side note I am in NO WAY affiliated with them. I just happen to like their product.
Razzious Domini
I could be a GREAT KARMA WHORE if I could just shed the few morals I have left.
You said it! Our only hope lies not in the proles.
I am about to expose information that could be used to commit a crime. If this information is improperly used then I and all who have passed on this information can and should be summarily prosecuted according to the Laws Against Spreading Evil Information. But I'll take the chance.
1. Humans are mortal
2. Poking a big hole in a human can kill it
3. Humans are the weak spot in bank security
4. Humans fear having holes poked in them
5. Guns are effective tools for poking holes in humans
6. Pointing guns at humans can get them to do what you want
7. Humans in banks will give you money if you point a gun at them
8. To kill a human quickly, shoot it in the heart or head
9. Explosives are also very effective
My apologies to all for whom this information represents a decrease in personal security. But rest assured, your firewall will continue to function long after your life has drained away.
-- thinkyhead software and media
You would not get in trouble. It's called free speech. If someone's product is shoddy and insecure it it your right to tell everyone about it. There are plenty of books at the library that describe how to pick locks and if you've ever read "The Hacker Crackdown" by Bruce Sterling you know that there are books that describe how to get calling card numbers, namely, "The Hacker Crackdown". You say "These actions wouldn't fly in the real world without legal repercussions." yet you give no examples. Please, give an example. Please at least cite a law which forbids any of the actions you described becuase you talk as if there is such a law for the real world where one for the cyber world is lacking. I would argue that there is a law for neither and that you are talking out of your ass.
--
WHO ATE MY BREAKFAST PANTS?
http://www.netice.com/advICE/Intrusions/2003301/de fault.htm
Most people would die sooner than think; in fact, they do.
AIM has just kicked everyone off of the service, and I assume they have patched this bug. We shall see when it comes back up.
Any word from AOL about this?
Now they just have to get you to accept a p2p connection between the AIM clients. 8-( Ok, BETTER then waiting a long arse time, but it doesnt address the issue of having to update to a fixed client..
-- I'm the root of all that's evil, but you can call me cookie..
It appears the AIM service has been taken offline by AOL.
AIM Filter being the program that, if not a trojan, at least has various remote access abilities.
See the bugtraq archive for more information.
Amusing that its use is recommended in the security advisory.
-Legion
a cool server side fix:
exploit this hole from the main server on all clients, and make them automatically update to the latest version! No users have to download patches this way.
Noticed quite a few mesages exclaiming about trillian already. I love it. It just needs more skins (or I need to learn the differences between the old and new format).
I will venture, rather safely, to say that Trillian is not affected by this exploit. The exploit is in the 'game request' feature in the AIM client for windows, a feature that has not yet been included in Trillian in the first place, and a feature that would obviously use different, hopefully better-bounds-checked code if it were there (since trillian uses its own libraries to do everything, no reliance on AIM).
--onyx--
Publishing information about exploits is valuable, and creating code that can demonstrate an exploit is valuable, and releasing it if the company isn't going to fix the problem really fast is valuable, and releasing an exploit that helps people test to make sure they're no longer exploitable is valuable.
But in this case--due to threat of release or not--AOL claims to be fixing the problem very rapidly, and the exploit code is next to useless in fixing the problem. The only reason I can see, in this case, to release the code is if that is the only way that the people who found it would feel like they got enough attention/recognition to make it worth releasing the code rather than exploiting it themselves.
Next time, I hope they wait a little longer before releasing the code. Or if not, hopefully it won't get reported here until then. Otherwise it just gives ammunition to the "obscurity" folks who want to show how dangerous information is.
This is nice, I just compiled the code and was able to run commands on friends' comps. He provided source code and everything, it's just a matter of downloading and compiling. (need make & gcc & libfaim). To actually run commands, you have to modify the source, the default setup just crahes the person's aim. ENJOY!
TerraIM - my pet AIM client project.
The story's made CNN: http://www.cnn.com/2002/TECH/ptech/01/02/aol.secur ity.ap/index.html.
Care about electronic freedom? Consider donating to the EFF!
The reverse-engineering clause only applies to technology designed to limit access to a copyrighted work. The DMCA is for protecting digital content. AIM has nothing to do with that.
It's a bad law, for sure, but making false claims about what it covers does NOT help our cause.
Strangely, Aim filter seems to take advantage of a few exploits in AIM as well... Kinda strange recommending this.
Oh well, I guess our free reign is over.
It's true that overflows are easy to prevent, by using a modern language like Java or O'Caml that has automatic bounds-checking on arrays. (To a lesser extent the C++ STL can help you with this, but you don't get any guarantees since the language is not safe.)
But I don't agree that it is easy to prevent when you're writing your software in C or C-like C++. In fact, I think C and the typical memory model practically encourages you to write exploitable software. Sure, it's easy to look at a stupid little program and say, yes, that has a buffer overflow problem. But large programs like IIS or even AOL AIM are an awful lot harder to analyze. (Take a look at the IIS overflow again if you think it's easy. This was due to the interaction between two totally different modules, both of which did bounds checking, but assumed that the buffer was large enough to hold twice the amount of data after unencoding. Indeed it was, but not if you unencode twice!)
If it is so easy to prevent, why do we continue to see loads of these kinds of bugs? You might argue that AOL programmers are stupid, and IIS programmers, and wu_ftpd, BIND, perl, quake 3 arena, sshd, (etc. etc.), but I think you'd be left with almost no programmers if you listed all the packages that have had buffer overflows in them. It is C's fault.
Personally, I think it's ridiculous that people still write software that's not at all performance-critical in C and C++. Technology exists (see O'Caml at http://caml.inria.fr/) for making really fast programs that are guaranteed not to have this kind of security hole in them. All that's really needed is toolkits for interfacing with system libraries... (for non-interactive stuff like network daemons there's absolutely no excuse to be using C).
Why don't you try Trillian if you're looking for cross-IM compatibility. Support for AIM, Yahoo, MSN, ICQ, and IRC. very cool
find it at
http://www.trillian.cc
if you've got Mac OS X - you should get fire
...
:-( and I forget)
http://www.epicware.com/fire.html
works great, and handles AIM, ICQ, Jabber, irc, MSN, and Yahoo.
from the "About Fire" dialogue
Engineering
Eric Peyton
Interface Design
Borrowed from America Online with flourishes courtesy Eric Peyton. Some ICQ ideas taken from various ICQ clones
Icons
Rick Roe, Blake Harris
Fire Enhancements
The following people have made enhancements to Fire
Jason Fosback (jfosback@ubermind.com)
Brian Fitzpatrick (fitz@red-bean.com)
(way too many to list
Underlying Engine (libfaim)
Copyright 1998-1999 Adam Fritzler (afritz@iname.com)
Underlying Engine (icqlib)
http://kicq.sourceforge.net/kicq.shtml
Underlying Engine (libyahoo)
http://www.sourceforge.net/projects/gtkyahoo
Underlying Engine (msn library)
http://www.everybuddy.com
Underlying Engine (firetalk/irc)
http://www.penguinhosting.net/~ian/firetalk/
HTML (AIML) Rendering/Reading Engine
Copyright 1999 Stephen Peters (portnoy@portnoy.org)
Fire.app Written in Objective-C against the Cocoa API's using the underlying libfaim Unix/Linux library written in C, the icqlib source code written in C, and the gtkyahoo source code written in C and C++. I am using the firetalk library in C for irc communication and the msn library was borrowed from everybuddy.
Fire.app is released under the FSF GPL, as are libfaim, micq, and gtkyahoo. If you did not receive source with this version please contact Eric Peyton (epeyton@epicware.com) for the source, or visit http://www.epicware.com/fire.html.
guns kill people like spoons make Rosie O'Donnell fat.
The exploit no longer works. However, since the problem does exist in the client, I'm sure it's possible to do this in some other fashion.
Check out this guy , for instance. Doesn't he look dreadful?!
I'm sure he'll regret this look someday.
Come come people, out of any crowd online, I'd expect the slashdot folks to be on the up and up about Miranda and Licq.
If you use Linux, use Licq or Miranda and WINE. If you use Windows, use Miranda.
Simple as that!
oops, miranda is at miranda-icq.sf.net
It should be noted that the bug does not, "enable remote users to execute code on any machine logged into the AOL IM service," but is specific to Windows versions 4.3 and newer. They have confirmed that it does not affect Netscape's built in AIM, and assumably alternative OSes and alternative clients are safe. So let me include another shameless endorsement of Fire ;)
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
Now has a story on this.
Remember, there were no nuclear weapons before women were allowed to vote.
Instead of calling these things "flaws" or "holes" or "exploits" I recommend a different term.
Call them a "window."
As in, "A window was discovered today into AOL instant messanger."
Has it been over a year since you last donated to the Electronic Frontier Foundation
View source on http://www.w00w00.org:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0022)http://www.w00w00.org/ -->
<HTML><HEAD><TITLE>w00w00 Security Development (WSD)</TITLE>
<META content="text/html; charset=windows-1252" http-equiv=Content-Type>
<META content="MSHTML 5.00.2614.3401" name=GENERATOR></HEAD>
A lot of hash is made by folks about security, and security holes are cited as reasons to call programmers "dumbasses" and "idiots". Most of this obviously heads Microsoft's direction.
But it's clear to me that audience size has more to do with security exploits than programmer skill. Counterstrike has *far* more cheaters, and far more dedicated crackers, than any other online game. It also has 10x as many people as any other online game. Valve programmers aren't stupid. I'm sure the AIM programmers aren't stupid, either, and neither are the MSN or Outlook folks. It seems to me that the more people you throw at a problem, the more holes you'll find: that the holes are inevitable for any non-trivial program.
You get the "more people to throw at the problem" in security cases by having the "bigger audience to screw with". I was wondering when I'd start seeing non-MS general apps attract enough crackers, and AIM with 100 million folks appears to be sufficiently large.
How much blame should attach to programmers? I notice Red Hat has about 4 security updates a month (for their most current version), looking at their own list on their website. Mandrake has about double that. They're smart guys, too. But you don't hear about it nearly as much, because obviously any exploit is a much smaller ripple, compared to the millions more Windows boxes out there.
I've downloaded 17 XP updates since it came out, most of them security updates. I'm not seeing a train wreck of incompetance with Windows: if a flaw is discovered, it's bigger news just by being more widely distributed. But the flaws seem to get fixed, on the whole. At least, they seem to get fixed at a reasonable rate, comparable to the rate at which Linux companies issue fixes. One could argue that, given the mumblemillion more Windows boxes there are, that MS should fix the bugs mumblemillion times faster to compensate for the severity difference they pose the world, but that's a pretty facile argument, and easy to dismiss.
I guess I'm thinking that it's gotta be pretty damned hard to write software to allow two computers to talk and take every single eventuality into account before shipping it. It's got to get geometrically more complicated the more apps and such talk in a variety of ways. I'm wondering how "bombproof" some things are by virtue of just not having enough folks that care enough to try.
Also worth mentioning is that Trillian has automatic 128bit encryption between Trillian clients (over AIM & ICQ only).
Got friends?
Information security tends to take a far back seat within the corporate world. Doesn't matter if it is management, administration, or development - infosec is a secondary thought if its even considered.
Part of this is the specialized knowledge required to handle infosec issues (not that it couldn't be widely aquired). It takes a concious effort to implement a secure system. This is often considered additional effort. And additional cost.
Another part of the puzzle is a general disbelief anyone could discover a vulnerability and would bother to take advantage of it. This discounts the number of technically minded individuals your infrastructure is exposed to on the net (compounded by automating attacks). It also ignores that even trivial applications can cause considerable damage (I have some friends working infosec for large corporations who went in to high gear with this announcement - AIM exists in many environments).
Finally, infosec is rarely a consumer requirement. Functionality is what sells widgets. Unless the widget is touted as being secure (even IF its supposed to be secure), security won't sell as many widgets if the widgets don't blink and beep nicely. Thus infosec isues are not pushed during initial development.
So now it gets bloody. Damage gets done. Consumers begin to see how these strange little issues cause them pain. They begin to demand better, more secure products. Product goals begin to include infosec. Better products get produced.
And those who would take advantage of vulnerabilities... quietly and to personal gain (or even loudly and publically) have fewer and fewer targets.
And its possible more attention will be paid to those who build faulty, and ultimately dangerous, data infrastructures. Maybe even legal liability.
Personally, I think the facty the bug has been released is a good thing, though I don't think the source for the actual expolit should have been put out.
I can see both sides of the arguments.
www.aim.com
Tell me how much info you can fnd about the problem on AOL's on site. Nada, zip, zero, zilch.
Doesn't exactly instill me with confidence they would have fixed the problem on their own, without a nudge from w00w00
AIM Filter might be the backdoor the back door they're warning about... They recommend that you run it to keep yourself safe from this latest vulnerability, but it might in fact be a trojan that steals your passwords anyway!
? id =1&start=2001-12-24&end=2001-12-30&mid=219171&thre ads=1
Check out the link in the parent post.
http://www.securityfocus.com/cgi-bin/archive.pl
it would be +1000000000000000 Funniest thing I read all year
A friend of mine and I have been trying for the last hour or so to figure out how to turn off the internal client in AOL 7.0. Haven't figured it out. I d/l'd Trillian, and can't use it. I can't log out of the server without disconnecting from AOL. All we can do is disable access [to my box] to others. I hate not being able to control my own box. The funny thing is, this is the first problem I have ever had with AOL in any form. But I don't like the way they have handled this.
Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking? Consider the following off-line scenarios, which to me seem equivalent (someone correct my thinking):
...
You can still have the best of both worlds... When people discover vulnerabilities like this, they should:
- Announce publicly that they discovered a vulnerability with a specific program (or module or whatever). Do NOT give enough details to allow others to relatively easily find it for themselves. Along with this notification, post the date on which the full disclosure of the details will happen.
- Alert the vendor who made the software, and give them all of the technical details with which to identify and fix the problem. (As well as the public posting date.) Allow the vendor a reasonably long enough time to fix their software and strongly promote the downloading of patches by their customers. This is a grey area, because a "reasonable" amount of time could easily vary depending on the size of the company, the number of users of the software, how many different versions of the software are in use, how severe of a bug it is, etc. I don't know what a good default guideline would be, but I can't imagine it being less than a week.
- On the disclosure date promised in the original announcement, disclose all of the details of your findings.
Each of these steps are vital and cannot be skipped over, nor are they likely to work out of sequence. People/groups who research things like this thrive on the fame and notoriety of being the ones who found the vulnerability. They are not likely to be willing to give the vendor notice without publicly announcing that they've found something, because the vendor might fix the bug without giving credit to the finders. While this would be fine for the rest of us, it would not please the finders, so they would not be willing to stick to this model, which would defeat the whole purpose.
It is also imperative that the details ARE disclosed to the public at some point. Without the threat of the details being publicly known and mass embarrassment for the vendor (or possible legal action, depending on the nature of the bug and the degree of negligence), there will be very little incentive for the vendor to fix the holes and encourage downloads of the patches. The solution is NOT to disallow scrutiny of software by third parties. If large vendors come to rely on this type of legal protection rather than technical integrity, then the only people who will end up discovering such vulnerabilities are those who are knowingly attempting to break the law. When they gain their "illegal" knowledge, they are likely to use it anonymously for illegal purposes, since any legal use of it would trace it back to "How did they find this out in the first place?", and thus their illegal "hacking".
It is imperative that the "good" hackers be allowed to claim credit for their discoveries and to have a legal way to disclose them to the vendors, and to put pressure on them to be fixed. This is how progress is made. By outlawing 'beneficial hacking', you will force all of these active minds into the underground, eliminating thousands of basically free quality-control research hours. The desire to analyze, to explore, to hack, will always be there. If you outlaw it, you are guaranteeing that the results of these desires will always be illegal, and probably negative (counter-productive to society).
Sometimes the best solution to morale problems is just to fire all the unhappy people.
...at least in this kind of development situation. I would think that if you open sourced your protocol and a sample client, you'd have the major bugs worked out fairly early in development. That tends to cut down on the number of users affected by any bugs that may crop up. You can't really fault the programmers for letting this security hole happen. Everyone makes boneheaded mistakes, including the project manager for not implementing a better development method.
Over the last year or so, I've been coding a slash-like weblog. I started the project because the new version of slash wasn't stable yet, and because I found slash a huge pain to install... a nightmare! Anyhow, so I've been working on this for awhile now, and I'm just now getting around to implementing real database use (as opposed to text files for everything). While the code seems to have taken everything I've thrown at it, I wouldn't just throw the scripts up for download and send the DB abstraction module off to CPAN, declaring it stable.
I do realize that at some point, when I feel fairly comfortable with what I've got, I'll release it as a unstable development release, and let others help pound out any bugs. I'd do that BEFORE I'd market my code, sell it to millions, and squeeze slash out of existance. Heh, just kidding, but you get the idea. When you have a piece of software that can potentially be installed in millions of machines, you kinda have a moral obligation to make sure nothing goes wrong. But morality and big-business is another topic altogether.
What could possibly hurt the security of the American people more than giving our own government the ability to hide its
At least I think so...
Very funny indeed.
to use strncpy instead of strcpy...
Anyway, I like AIM, it's easy for a brain dead code jockey to use. I've got enough rattling around in my head without having to be 31137 at instant messenger applications.
Codifex Maximus ~ In search of... a shorter sig.
Far be it from me to imply that ownership affects the editorial slant of the media, but consider the first paragraph of MSNBC's coverage of the AOL exploit:
with the lead paragraph of their coverage (read: spin) on the recent XP fiasco:
Of course, with the tough economic times and all, it's good to see the marketing department pitching in and writing the story leads.
Wait... you mean you still haven't joined the ACLU?
Please see the subject line. I am quite curious about this. Mods are strange critters sometimes
It may be new to you, but looking under the hood of a car and understanding how it works and learning more about how it works by looking is not stealing.
At least I have not had my car stolen when I left it at the garage and the car mechanic definitely looked under the hood and definitely reverse engineered the problems I was experiencing. And as far as I know, no more identical copy of my car exist due to that reverse engineering.
Could it be you cannot distinguish between reverse engineering, cracking and bootlegging? Or are you an MS pusher? :-)
Just for your info: In civilized countries you own what you buy, regardless what MS claims. Oh and yes, reverse engineering, even of software, is protected by the law up to the extend you need to make your (legally obtained) software interoperable.
Lets face it: there will always be problems like this, no matter what OS or program is involved. The question is: how can we make living with those problems easier, how can we make sure that even though such problems exist, they wont cause much damage? I think that a radical change of how people "see" what their computers are doing will have to be the key. You cannot expect everybody to become a computer expert. But as much as better GUIs have helped to make it easier for the masses to understand what they are doing when writing text or painting pictures, it will be necessary to give the users a "metaphor" for net connections, program privileges and the like. Until now, these things are consered to be close to the OS and users have been protected from these things by making them "transparent". This is a completely wrong way. Users have be to aware about the fact that programs accept or initiate connections to the outside world, transfer data, execute code that does strange things and so on. Somebody has to find a way how to integrate these things into a user interaction metaphor that is easy to understand and lets the user control what he wants or not, instead of hiding it away from him. I dont say that this would be the answer to all problems, but I think this should be the way to go. Knowing nothing is bad. Expecting users to be able to define iptables rules is bad too.
Weren't TLVs intended to prevent buffer-overflow style attacks? For those of you not familiar, TLV stands for "type, length, value" - it's a rather explicit way of storing data.
I'd assume that they'd use the same TLV parsing code throughout the client product, in which case there's probably more code areas that are busted.
over 100 million users of AIM and you say, AOL won't be there during a holiday? What if someone started exploiting that (or a different hole) over the holidays?
Furrfu!
See also the Full Disclosure Policy (RFPolicy) v2.0 which is followed by many bugtraq users. Note that 5 work days would mean that the report would have been made around 2001-12-20, at least in my locale.
A windowsy (humourous) look at the issue of disclosure can be seen here.
It's free (beer) donation-ware. Who knows, I may just throw some money their way....
m00.
Posting security-related information makes us all better-informed. It makes those writing both open and closed software to be better aware of the real problem posed by making a communications protocol secure.
It is AOL's responsibility to make their program secure. Whether it's "lighting a fire under their butt" posting the information is irrelevant; the basic freedom to share information overrides other concerns, and AOL needs to deal with such things in a timely manner. They especially should be thankful to w00w00 for showing them a quick way to improve their services.
I personally am thankful to Slashdot for posting this information. It gave me yet another reason to chuck the Winblows client, fire up Cygwin, and use gaim.
You take the statement from the article "This does not affect the non-Windows versions, because the non-Windows versions currently do not yet support the feature that this vulnerability occurs in" and conclude "If other versions did support this feature, they would be subject to this vulnerability".
Let me spell it out in straightforward logic symbols:
let "a" mean "vulnerability affects non-Windows versions"
let "b" mean "non-windows versions implement this game feature"
You take "not a because not b" (That is, "not b imples not a") and conclude "b implies (would imply) a". You have confused the converse with the contrapositive (the contrapositive would be "version xyz is vulnerable to this, therefore I know that version xyz implements the gaming feature").
Now, on to the question as to whether or not this vulnerability is in the protocol itself; this gets into a silly semantic debate that could go on and on with people yelling about definitions. As the AIM protocol has no canonical published spec. to define what it is, we can only assume that the AIM protocol is whatever the official AIM clients do when operating correctly. (For example, we shouldn't expect that the behavior of the AOL client while it is running under a debugger that randomly flips a few bits in memory every few seconds is an example of the AIM protocol)
So - is a buffer overflow the correct behavior? As much as I am inclined to think ill of the AOL/TW behemoth, I doubt that they intended their users' machines to be wide open to script kiddies everywhere.
That last feature is client-side - a user using licq or any other program, just about, can add you without you being prompted or even knowing. For that matter, I'm sure a program could be written to send a local ICQ client forged replies stating that the authorization had been given.
Don't belive me? Download one of the third-party clients and try it for five minutes.
From the bugtraq archive: It looks like this may perhaps be sending a username and password to the screen name sobbieraunders? I don't know.
Due to Anonymous Coward's demands, "w00-frickin-w00" has changed its name to "l33tw00" for cosmetic reasons ;).
That doesn't make any sense, either. The DMCA does not prevent you from reverse-engineering software and making or distributing patches, UNLESS that software controls access to a copyrighted work, which AIM does NOT.
People really need to get their facts straight about the law or we are going to be totally incoherent when we try to challenge it (or convince our friends and family that it is bad).
Group image 1
Group image 2
Woo member Blake
Woo member Remmie
The bug has been fixed server side by AOL. Anyone who trys to exploit it now gets an 'Error Code 14' or something like that and a nice little message from AOL.
Ah well, it was fun last night...
The World is Yours.
One of the coolest features is the file transfer-part. Users from different networks can send and receive files from each other. This is the only program that will let you send a file to an ICQ user from MSN for instance. Nice.
over 100 million users of AIM and you say, AOL won't be there during a holiday?
No; obviously SOMEONE is going to be there; there's a well-staffed 24x7 NOC. But we don't know what his reporting method was, other than that it was via e-mail. He presumably just e-mailed someone at AOL whose name he knew; that person could certainly be on vacation over the holidays.
Note that 5 work days would mean that the report would have been made around 2001-12-20.
And yet that isn't the case, according to the article - he notified "after Christmas" (even though he'd known for a few weeks) and announced on New Years. At best, that's three working days, even if you don't allow extra leniency for the holidays. So he didn't follow the guideline. It says Conover stated he wanted to release the exploit on 1/1 anyway because it was the anniversary of w00w00's previous announcement! Yes, I think that's irresponsible.
Here's a copy of the AP article.