Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL Instant Messenger Remote Hole

Posted by michael on from the makes-remote-administration-easier dept.

The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."

4 of 343 comments (clear)

  1. Most of the writeup bashes the DMCA by Bonker · · Score: 5, Interesting

    The guy spends most of his time bashing the DMCA and how hard it makes to offer patches to this sort of thing without AOL's permission:

    From the NTBugtraq letter:
    First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.

    --
    The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
  2. Re:Better Link by XBL · · Score: 5, Interesting

    I think the MSN and Yahoo transports on the Jabber.org server has been working reliably for some time.

    For ICQ and AIM, you can probably find some lesser-used Jabber servers with the transports active, and not blocked. JabberView.com has a small list of other servers.

    Me, I just use my Jabber.org account, but cross-link to transports on other servers that actually work.

    Of course, you can run your own server and transports. Heck, you could even do it on your own box if you want to. Just run icq.localhost and aim.localhost along with jabberd localhost, but still use your user@jabber.org or whatever as your main Jabber account. It's easy to do.

  3. Best PR Spin by VivianC · · Score: 5, Interesting

    This has got the best PR response I've ever seen to one of these holes:

    From the Washington Post Story

    A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.

    An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.

    Great idea! Why make the user download and test a patch? We can just use this hole that gives us full control of a vitim's computer...

    --
    Viv

    Gmail invites for ip
  4. Check out this quote... by VValdo · · Score: 5, Interesting
    from USAToday:

    Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."

    Hmm. Anyone else sense a little hostility from the for-profit security industry...?

    --
    -------------------
    This is my SIG. There are many like it, but this one is mine.