AOL Instant Messenger Remote Hole

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

Warnings

[Joe+U]

Wasn't AOL warned about this sort of stuff over a year ago?

I remember someone at Microsoft saying that AIM and ICQ had some serious unchecked buffer problems. Something to do with why Microsoft wouldn't update MSN Messenger to work with AIM anymore.

(I might be wrong on this, anyone have info?)

Re:Warnings

[kesuki]

That bug is old news... I used it for months until I remembered my ICQ password. It's 9 charachters not 15 ICQ doesn't allow passwords greater than 8 characters. While some sites won't allow a password shorter than 8 characters ICQ won't allow a longer one... Nice to see how security conscious mirabilis was and still is now that AOL owns them.

Actually though I think the earliest ICQ implimentations performed the password authentication locally, which is why the 8 character limit on passwords exists in icq.
A 9 character password response meant the authentication was done by the client.

Most of the writeup bashes the DMCA

[Bonker]

The guy spends most of his time bashing the DMCA and how hard it makes to offer patches to this sort of thing without AOL's permission:

From the NTBugtraq letter:
First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.

Re:Better Link

[XBL]

I think the MSN and Yahoo transports on the Jabber.org server has been working reliably for some time.

For ICQ and AIM, you can probably find some lesser-used Jabber servers with the transports active, and not blocked. JabberView.com has a small list of other servers.

Me, I just use my Jabber.org account, but cross-link to transports on other servers that actually work.

Of course, you can run your own server and transports. Heck, you could even do it on your own box if you want to. Just run icq.localhost and aim.localhost along with jabberd localhost, but still use your user@jabber.org or whatever as your main Jabber account. It's easy to do.

Best PR Spin

[VivianC]

This has got the best PR response I've ever seen to one of these holes:

From the Washington Post Story

A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.

An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.

Great idea! Why make the user download and test a patch? We can just use this hole that gives us full control of a vitim's computer...

Re:Why not wait a day?

[Monte]

Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking?

I'd like to start by stating that I don't condone w00w00's (gad what a name) actions, I was simply offering a possible answer to a question (which, for some reason, got modded up all to hell. I guess the SlashThink mindset agrees with all that appears to screw corporations).

Now, in an attempt to answer your question - I think this sort of thing is defnitely a free speech issue, and I think in some cases it's justified.

Let's take your example of a GM exploit - if I discovered such a thing and called GM about it (even if I were a registered/certified GM mechanic) - how many layers of corporate denial, obfuscation and red tape do you think I'd encounter? After all, a recall to fix the problem is going to cost some green, and I'm just some schmuck mechanic. So how long do you think it would take GM to fix the problem, versus the amount of time that someone who liked stealing cars figured it out?

If instead of calling GM I phoned the local TV stations and demonstrated the problems - do you think that would speed up a GM recall? I sure do.

Does this hurt the corporation? Yes. But then it was the corporation that created the exploit, or failed to close it. You reap what you sow.

And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term?

The same could be said about an internet article that explains how to pick locks. Should such sites be shut down, in the name of the public interest?

Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.

Which is the greater endangerment: the discription of an exploit, or the exploit's existance?

Open your eyes...

[Brendan+Byrd]

Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.

It's already like this. Just look at the government we have now: One which is more worried about banning abortion to produce more babies, instead of enforcing better (and cheaper) birth control. One which is more worried about protecting ourselves from ourselves (read: victimless crimes), instead of letting us learn from our mistakes (or letting evolution sort it out). One which is more worried about getting elected the next term and getting in the pockets of lobbists, instead of passing laws that the people really need.

Just look at our idiotic voters. They are the mediorce masses. They are the ones just smart enough to be useful, but not smart enough to see that they've been screwed. They are the proles [1984], and the future is NOT with them.

Check out this quote...

[VValdo]

from USAToday:

Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."

Hmm. Anyone else sense a little hostility from the for-profit security industry...?

Does this make me a murderer?

[Slur]

I am about to expose information that could be used to commit a crime. If this information is improperly used then I and all who have passed on this information can and should be summarily prosecuted according to the Laws Against Spreading Evil Information. But I'll take the chance.

1. Humans are mortal
2. Poking a big hole in a human can kill it
3. Humans are the weak spot in bank security
4. Humans fear having holes poked in them
5. Guns are effective tools for poking holes in humans
6. Pointing guns at humans can get them to do what you want
7. Humans in banks will give you money if you point a gun at them
8. To kill a human quickly, shoot it in the heart or head
9. Explosives are also very effective

My apologies to all for whom this information represents a decrease in personal security. But rest assured, your firewall will continue to function long after your life has drained away.