AOL Instant Messenger Remote Hole

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

Why not wait a day?

[MarkLR]

Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.

Re:Why not wait a day?

[Monte]

Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.

Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".

Re:Why not wait a day?

[ez76]

Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".

Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking? Consider the following off-line scenarios, which to me seem equivalent (someone correct my thinking):

• A test mode is discovered in a popular residential/commercial building security system whereby anyone can enter such a building by punching in a certain 23-digit code into the alarm keypad. w00w00 drives around town and posts a picture of the affected keypads and the first 21 digits of the code.
  
• Certain model year GM vehicles' security systems can be foiled by holding down multiple chiclet keys at once and inserting a metal object into the driver's side door keyhole. w00w00 cruises local mall parking lots, opening the doors of random vehicles, putting a bulletin about the problem on the driver's seat, closing the door, and fleeing.
  
• A template and generating function for test AT&T calling card numbers is discovered that permits anyone with the two to make free calls. w00w00 publishes the information.
  

All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.

These actions wouldn't fly in the real world without legal repercussions. And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term? Is there anyone out there who really believes this isn't being done to take a stab at big corporations for big corporations' sake, by individuals who thrive in the gray area of the law?

There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.

Re:Why not wait a day?

[GTRacer]

Actually, I don't hate Microsoft products, just their practices and abhorrent licensing shenanigans. In fact, I use WinNT, Outlook, IE 5.5 and the rest of the Office 97 suite alongside Gimp, Apache, Perl, NMap, and WGet.

I am not an OSS zealot although I do dual-boot Mandrake.

I hate AOL because of their incredibly asinine advertising! "Everyone I know is on my Buddy List!" Maybe it's time for more friends! I used AOL 3, 4 and 5 at work and at home and despised the branding tricks and limitations on the Internet experience.

I also loathe the way it seems (my perception - may not reflect reality) they feel their users need a prepackaged community because they're simpletons who don't need a better, deeper Internet experience. Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.

GTRacer
- Equal-opportunity company basher!

Re:Why not wait a day?

[YaRness]

it's different because you can't download a new keypad for your security system or car, but you can easily download and apply a patch for a program. it's a matter of distribution.

additionally, in your analogy, for each poster up on the telephone pole, they would have included a box full of replacement keypads (or whatever) to fix the problem; w00w00 did list a place to download a proxy that will serve as a temporary fix. it's allowing people to be able to make the decision to protect themselves, instead of being subject to the whims of Big Bad Corporation X's product life cycle.

just the old regulated security VS. freedom debate.

Re:Why not wait a day?

[arkanes]

Well, the third one is totally unrelated, as it's not an "exploit" except in that you get to make free calls (unless you mean it bills them to some random person, which is still a fairly poor analogy). The second is also a poor comparison - perhaps if they left the flyer on the windshield. That said, I don't see how your real world examples are immoral either. If my burglar alarm was discovered to be flawed, I'd want to a) know as soon as it was discovered by white hats so I can make sure I'm not relying totally on my alarm and b) know how it's done so I can see if my version truly is affected and c) get phones SERIOULSY ringing at my alarm company. I don't want to find out weeks after the fact that there was a known exploit in my alarm, which presumably is known to burglars, and the company didn't tell me so I could go buy a deadbolt. Companies hate recalls. They cost money and don't return any profit. It's very rare for one to be issued thats not mandated by law.

Re:Why not wait a day?

[geekoid]

when the industry has a history of ignoring security breachs, or trying to hush them up, it become nessessary to take such actions to protect the people.

Re:AIM will always be a problem

[ZxCv]

Um, the protocol has nothing to do with this security issue. The security issue is in the Windows client implementation of this protocol. For another thing, the AIM protocol IS completely documented by AOL-- at least to the point where you can create a basic AIM clone using just that documentation.

Once again, the problem is in the Windows client and not the protocol, and the protocol is openly documented. Get your facts straight next time.

Re:How to protect yourself

[Brendan+Byrd]

Popularity doesn't make buggy code. Buffer overflows are soooo ten years ago, but I guess they still find them. At this point, I'm willing to say that any product with a buffer overflow found out at some time a year ago should not be used, and the programmers should be shot.

Re:Ok...

[neema]

This is under the mindset that the people who read this will actually be using the exploit, rather then defending themselves from it, which is how I read it. As a user on AIM, I find it very helpful that it was released so that in the one or two days it takes to patch this, I don't get fucked over.

Re:Trillian

[infiniti99]

Trillian is a very nice idea, and solves the problem immediately. Unfortunately, it is not a long-term solution. Trillian is still at the mercy of the "big 4" (AIM/ICQ/MSN/Yahoo), and encourages the continuing use of these closed services.

Remember the old days of the internet? How you couldn't send an e-mail from Prodigy to AOL because they were separate networks? That's what we have here, but in IM form. The solution was not to build some all-in-one Compuserve-Prodigy-AOL-bloat app, but rather to just decide upon an open email protocol. Trillian is the all-in-one approach.

I recommend switching to Jabber. It will allow you to communicate with other IM services through serverside transport modules. Use transports as a transition, to communicate with people who have not yet switched to Jabber. The ultimate goal, however, should be to ditch the transports entirely.

Most importantly, Jabber is its own open and distributed IM system, so you will always be able to chat no matter what the "big 4" do. Isn't it comforting to know that?

If you don't care about promoting an open system, or don't see the problem with closed IM systems, then Trillian may be just the program for you. But remember it is not trying to solve the greater problem.

i've an idea!

[waschebaer]

a cool server side fix:

exploit this hole from the main server on all clients, and make them automatically update to the latest version! No users have to download patches this way.

Re:How to protect yourself

[shokk]

``We have identified the issue and have developed a resolution that should be deployed in the next day or two,'' AOL's Andrew Weinstein said. ``To our knowledge, this issue has not affected any users.'' ``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,'' Weinstein said.

I'd appreciate it if AOL would get their act together and take some responsibility for writing the piece of crap and its corresponding holes. What ever happened to auditing code? This is just plain ignorance on how to deal with buffer overruns. And probably not a little of Window's holes that the programmers take for granted.

I just don't like that AOL wants to buy time to spin the issue to save their face by releasing notice of the hole and the cure at the same time, but I also realise that half the jerks out there are going to run this little tool to blow a bunch of random machines on the Internet. Why exactly didn't AOL respond to messages over the holidays? Surely they were staffed by some. I guess they'll make sure to check to see if "they've got mail" next time.