Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Instant Messenger Remote Hole

Posted by michael on from the makes-remote-administration-easier dept.

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

8 of 343 comments (clear)

  1. Re:Why not wait a day? by Monte · · Score: 5, Insightful

    Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.

    Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".

  2. Re:AIM will always be a problem by ZxCv · · Score: 3, Insightful

    Um, the protocol has nothing to do with this security issue. The security issue is in the Windows client implementation of this protocol. For another thing, the AIM protocol IS completely documented by AOL-- at least to the point where you can create a basic AIM clone using just that documentation.

    Once again, the problem is in the Windows client and not the protocol, and the protocol is openly documented. Get your facts straight next time.

    --

    Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
  3. Re:Why not wait a day? by ez76 · · Score: 5, Insightful
    Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".
    Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking? Consider the following off-line scenarios, which to me seem equivalent (someone correct my thinking):
    • A test mode is discovered in a popular residential/commercial building security system whereby anyone can enter such a building by punching in a certain 23-digit code into the alarm keypad. w00w00 drives around town and posts a picture of the affected keypads and the first 21 digits of the code.
    • Certain model year GM vehicles' security systems can be foiled by holding down multiple chiclet keys at once and inserting a metal object into the driver's side door keyhole. w00w00 cruises local mall parking lots, opening the doors of random vehicles, putting a bulletin about the problem on the driver's seat, closing the door, and fleeing.
    • A template and generating function for test AT&T calling card numbers is discovered that permits anyone with the two to make free calls. w00w00 publishes the information.


    All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.

    These actions wouldn't fly in the real world without legal repercussions. And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term? Is there anyone out there who really believes this isn't being done to take a stab at big corporations for big corporations' sake, by individuals who thrive in the gray area of the law?

    There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.
  4. Re:Why not wait a day? by GTRacer · · Score: 5, Insightful
    Actually, I don't hate Microsoft products, just their practices and abhorrent licensing shenanigans. In fact, I use WinNT, Outlook, IE 5.5 and the rest of the Office 97 suite alongside Gimp, Apache, Perl, NMap, and WGet.

    I am not an OSS zealot although I do dual-boot Mandrake.

    I hate AOL because of their incredibly asinine advertising! "Everyone I know is on my Buddy List!" Maybe it's time for more friends! I used AOL 3, 4 and 5 at work and at home and despised the branding tricks and limitations on the Internet experience.

    I also loathe the way it seems (my perception - may not reflect reality) they feel their users need a prepackaged community because they're simpletons who don't need a better, deeper Internet experience. Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.

    GTRacer
    - Equal-opportunity company basher!

    --
    Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  5. Re:Ok... by neema · · Score: 3, Insightful

    This is under the mindset that the people who read this will actually be using the exploit, rather then defending themselves from it, which is how I read it. As a user on AIM, I find it very helpful that it was released so that in the one or two days it takes to patch this, I don't get fucked over.

  6. Re:Why not wait a day? by YaRness · · Score: 5, Insightful

    it's different because you can't download a new keypad for your security system or car, but you can easily download and apply a patch for a program. it's a matter of distribution.

    additionally, in your analogy, for each poster up on the telephone pole, they would have included a box full of replacement keypads (or whatever) to fix the problem; w00w00 did list a place to download a proxy that will serve as a temporary fix. it's allowing people to be able to make the decision to protect themselves, instead of being subject to the whims of Big Bad Corporation X's product life cycle.

    just the old regulated security VS. freedom debate.

  7. Re:Trillian by infiniti99 · · Score: 3, Insightful

    Trillian is a very nice idea, and solves the problem immediately. Unfortunately, it is not a long-term solution. Trillian is still at the mercy of the "big 4" (AIM/ICQ/MSN/Yahoo), and encourages the continuing use of these closed services.

    Remember the old days of the internet? How you couldn't send an e-mail from Prodigy to AOL because they were separate networks? That's what we have here, but in IM form. The solution was not to build some all-in-one Compuserve-Prodigy-AOL-bloat app, but rather to just decide upon an open email protocol. Trillian is the all-in-one approach.

    I recommend switching to Jabber. It will allow you to communicate with other IM services through serverside transport modules. Use transports as a transition, to communicate with people who have not yet switched to Jabber. The ultimate goal, however, should be to ditch the transports entirely.

    Most importantly, Jabber is its own open and distributed IM system, so you will always be able to chat no matter what the "big 4" do. Isn't it comforting to know that?

    If you don't care about promoting an open system, or don't see the problem with closed IM systems, then Trillian may be just the program for you. But remember it is not trying to solve the greater problem.

  8. Re:Why not wait a day? by geekoid · · Score: 3, Insightful

    when the industry has a history of ignoring security breachs, or trying to hush them up, it become nessessary to take such actions to protect the people.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect