Slashdot Mirror
AOL Instant Messenger Remote Hole
The DSL Guy writes: "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol. With over 100 million people registered on the AIM service, this vulnerability poses a serious security risk for Internet users worldwide. This flaw can enable remote users to execute code on any machine logged into the AOL IM service. "So easy to hack, no wonder it's number one!" Details can be found at the w00w00 site."
We recommend Robbie Saunder's AIM Filter (http://www.ssnbc.com/wiz) to protect yourselves. A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me."
...and now everyone has your mail!
Since we all know the holes won't stop here, anyone who wishes to further investigate problems can start their research here and here.
...only windows machines. get your facts straight.
This does not affect the
non-Windows versions, because the non-Windows versions currently do
not yet support the feature that this vulnerability occurs in.
From the website:
"this does not affect the non-Windows versions"
The guy spends most of his time bashing the DMCA and how hard it makes to offer patches to this sort of thing without AOL's permission:
From the NTBugtraq letter:
First, the Digital Millenium Copyright Act affects circumvention of anti-piracy mechanisms and reverse engineering. If a product is released in binary form only (i.e., AOL) to protect its technologies and one attempts to reverse engineer the file, it's a violation of the DMCA. It's no question who the lobbyists behind this law were: the big corporations. Not surprisingly, AOL Time Warner was one of the DMCA's biggest supporters. Find out more information about the DMCA at http://www.anti-dmca.org.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
--
I Hit the Karma Cap, and All I Got Was This Lousy
Given that the message states AOL will do a server side fix in a day, why not wait ONE DAY before releasing the exploit details.
Perhaps the former was a result of the latter? There's a concept called "lighting a fire under their ass".
http://www.w00w00.org/advisories/aim.html is a better link.
Hey, if you guys want open-source IM, check out http://www.jabber.org The server is open-source and it's a distributed XML-based network. Lots of different, cool clients too. JabberIM for Windows, and Gabber for Linux are the most mature ones though. There are bridges to the AIM and ICQ networks available on some servers, but the ones on Jabber.org have been blocked by AOL... nice huh?
I stopped using ICQ years ago because it was so script-kiddie friendly and AIM not long after. I'm quite happy using Jabber with a gateway to Yahoo Messenger, thankyouverymuch.
this is getting old and so are you
blog
The abstract for the article is in error: it reads, "The non-profit security team w00w00.org started off 2002 by uncovering a serious flaw in AOL's Instant Messenger protocol... This flaw can enable remote users to execute code on any machine logged into the AOL IM service.". The flaw isn't in the protocol itself but in the client, and therefore doesn't actually affect "any machine logged into the AOL IM service". It sounds like AOL is going to prevent the sending of exploit packets at the server level to avoid requesting all of their Windows users to upgrade, but those of us using Linux or another OS should be fine regardless.
Love justice; desire mercy.
Or maybe they just hate AOL like I do and want to make them squirm...
GTRacer
- No AOL on my IP-enabled PS2, THX!
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
ALWAYS, if the protocol isn't openly documented and severely tested over a communications line for security it is insecure.
I recommend the majority of people I deal with use jabber (this is not some plug for jabber; it's just at the end of the day, it's more secure and yet accomplishes the same goal AIM etc etc have)
If you are using AIM, do yourself a favor a pickup a jabber client, you won't be sorry.
How about the "you got mail" dude do one that says "j00 g0t 0wN3D"!
One of Many Instant Messenger Exploits (MIME for short), I'm sure.
{if you are going to assinate a Mime, would you use a silencer?}
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
The problem is in the implementation, not in the protocol. If it were in the protocol, that would make all clients at risk. As it is, only the official Windows client is vulnerable, because it implements game requests without checking for buffer overflow. I really don't understand why people still write code this way -- buffer overflows are so easy to prevent.
Somewhat (but only somewhat) offtopic: why on earth doesn't ./ at leas browse through the links they post? It's not like they don't have the manpower. If they'd even looked at the article, they'd have caught this...
AOL is deeply committed to your security. We use state-of-the-art technology to keep your personal information as secure as possible. We also have put in place privacy protection control systems designed to ensure that the personal data you share with AOL is safe and private. In addition, AOL keeps your password strictly confidential, and all authentication for the Service is performed on AOL's secure servers. Sites participating in the Service may not collect or store AOL password information.
From this site.
Light cup, beer drink, thin so chain, neck turtle fat, man I won't say it again
I've recently started using trillian (www.trillian.cc) for all my IMing needs... (yes, it does connect to the AIM server, among others such as MSN messenger, yahoo, and ICQ) I'm assuming it probably doesn't have this flaw, which is obviously a nice feature. And as far as I know, it's the only really solid alternative to a) having a billion separate IM programs b) using hated AOL software.
Once upon a time...
One of ICQ's was a login buffer overflow. Basically if you used licq or a NON-Mirabilis version, you could login as anyone just by using a password longer than 15 chars (IIRC).
Ok so I used it once to send two of my coworkers homo "I like to watch your ass" emails from each other...
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
well, here's yet another reason to be using TOC (as opposed to Oscar, the newer of the two AIM protocols.) TOC is/was an open protocol, and i've had very little problem with it. admittedly, it doesn't have all the "features" that Oscar has, but if all you want is chat, and you don't care a whole lot about file transfers, et al. TOC is more than sufficient. plus, unlike Oscar, AOL doesn't seem to arbitrarily change the protocol. And it seems to be more stable, server-side. I've had countless instances of hearing the dispaired cries of "AIM is down" from throughout my dorm without having a problem. TOC goes down occasionally, but not nearly as much, from my experience.
as for clients, i recommend Gaim for Linux. You can select the TOC protocol in the Account Editor window.
<asbestos>yes, i know there's a million things that Oscar can do that TOC can't. but I don't care. TOC just works better from my experience, especially when clients have to release new versions to work around AOL changing the Oscar protocol slightly in order to screw over MS.</asbestos>
#define F(x) int main(){printf(#x,10,#x);}
F(#define F(x) int main(){printf(#x,10,#x);}%cF(%s))
Change that annoying incomming Email .wav file...
"You've got nailed"
--- Metamoderating abusive downgraders since my 300th post.
This has got the best PR response I've ever seen to one of these holes:
From the Washington Post Story
A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company.
An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.
Great idea! Why make the user download and test a patch? We can just use this hole that gives us full control of a vitim's computer...
Viv
Gmail invites for ip
All of these actions could have theoretically been done in the name of improving security but in the short-term all they do is recklessly endanger it.
These actions wouldn't fly in the real world without legal repercussions. And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term? Is there anyone out there who really believes this isn't being done to take a stab at big corporations for big corporations' sake, by individuals who thrive in the gray area of the law?
There is at least one long-term upside to w00w00's actions, though. Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.
I am not an OSS zealot although I do dual-boot Mandrake.
I hate AOL because of their incredibly asinine advertising! "Everyone I know is on my Buddy List!" Maybe it's time for more friends! I used AOL 3, 4 and 5 at work and at home and despised the branding tricks and limitations on the Internet experience.
I also loathe the way it seems (my perception - may not reflect reality) they feel their users need a prepackaged community because they're simpletons who don't need a better, deeper Internet experience. Kinda reminds me of various SF dystopias where the general populace is kept just smart enough to be useful but not enough to be critical thinkers and therefore dangerous to the status quo.
GTRacer
- Equal-opportunity company basher!
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
This is under the mindset that the people who read this will actually be using the exploit, rather then defending themselves from it, which is how I read it. As a user on AIM, I find it very helpful that it was released so that in the one or two days it takes to patch this, I don't get fucked over.
"The non-profit security team w00w00.org..."
Oh, so the 1337 are going the non-profit route? Nice to see that they are going somewhat legit here, but are we going to see mass-defacement support drives once a month looking for donations, a la PBS? Are they going to only release their best exploits during these fund drives? And how much do I have to donate to get reach the benefactor level where I get the "Bill Gates unrestricted Amex card" number as a gift of thanks?
More importantly, did Microsoft "give generously" during the "Here's how to hack AIM" episode of "Sesame Street"?
"Today's Sesame Street was brought to you by the letters M, S, N, and the number 1."
it's different because you can't download a new keypad for your security system or car, but you can easily download and apply a patch for a program. it's a matter of distribution.
additionally, in your analogy, for each poster up on the telephone pole, they would have included a box full of replacement keypads (or whatever) to fix the problem; w00w00 did list a place to download a proxy that will serve as a temporary fix. it's allowing people to be able to make the decision to protect themselves, instead of being subject to the whims of Big Bad Corporation X's product life cycle.
just the old regulated security VS. freedom debate.
Can someone please explain to me the moral or ethical mandate that supports/justifies this sort of vigilante thinking?
I'd like to start by stating that I don't condone w00w00's (gad what a name) actions, I was simply offering a possible answer to a question (which, for some reason, got modded up all to hell. I guess the SlashThink mindset agrees with all that appears to screw corporations).
Now, in an attempt to answer your question - I think this sort of thing is defnitely a free speech issue, and I think in some cases it's justified.
Let's take your example of a GM exploit - if I discovered such a thing and called GM about it (even if I were a registered/certified GM mechanic) - how many layers of corporate denial, obfuscation and red tape do you think I'd encounter? After all, a recall to fix the problem is going to cost some green, and I'm just some schmuck mechanic. So how long do you think it would take GM to fix the problem, versus the amount of time that someone who liked stealing cars figured it out?
If instead of calling GM I phoned the local TV stations and demonstrated the problems - do you think that would speed up a GM recall? I sure do.
Does this hurt the corporation? Yes. But then it was the corporation that created the exploit, or failed to close it. You reap what you sow.
And how can you claim that they are done in the interest of the public when so much anonymous public damage could result in the short-term?
The same could be said about an internet article that explains how to pick locks. Should such sites be shut down, in the name of the public interest?
Their actions will hasten the approval of legislation which makes online reckless endangerment as criminal on the Internet as it is in your neighborhood.
Which is the greater endangerment: the discription of an exploit, or the exploit's existance?
Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are irresponsible. "I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, these are fundamentally naive people with a very childish view of the world."
Hmm. Anyone else sense a little hostility from the for-profit security industry...?
-------------------
This is my SIG. There are many like it, but this one is mine.
when the industry has a history of ignoring security breachs, or trying to hush them up, it become nessessary to take such actions to protect the people.
The Kruger Dunning explains most post on
AIM Filter being the program that, if not a trojan, at least has various remote access abilities.
See the bugtraq archive for more information.
Amusing that its use is recommended in the security advisory.
They did wait, AOL ignored them.
We contacted the AOL Instant Messenger group but never received a
response. Normally we would be inclined to provide a fix, but it is
illegal to reverse engineer the AIM executable (DMCA and AIM's license
agreement to thank), so we are unable to provide a patch which will
modify it. Instead, we recommend Robbie Saunder's AIM Filter
(http://www.ssnbc.com/wiz/) to protect yourselves.
Please get the full story before you post shit.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Information security tends to take a far back seat within the corporate world. Doesn't matter if it is management, administration, or development - infosec is a secondary thought if its even considered.
Part of this is the specialized knowledge required to handle infosec issues (not that it couldn't be widely aquired). It takes a concious effort to implement a secure system. This is often considered additional effort. And additional cost.
Another part of the puzzle is a general disbelief anyone could discover a vulnerability and would bother to take advantage of it. This discounts the number of technically minded individuals your infrastructure is exposed to on the net (compounded by automating attacks). It also ignores that even trivial applications can cause considerable damage (I have some friends working infosec for large corporations who went in to high gear with this announcement - AIM exists in many environments).
Finally, infosec is rarely a consumer requirement. Functionality is what sells widgets. Unless the widget is touted as being secure (even IF its supposed to be secure), security won't sell as many widgets if the widgets don't blink and beep nicely. Thus infosec isues are not pushed during initial development.
So now it gets bloody. Damage gets done. Consumers begin to see how these strange little issues cause them pain. They begin to demand better, more secure products. Product goals begin to include infosec. Better products get produced.
And those who would take advantage of vulnerabilities... quietly and to personal gain (or even loudly and publically) have fewer and fewer targets.
And its possible more attention will be paid to those who build faulty, and ultimately dangerous, data infrastructures. Maybe even legal liability.