Slashdot Mirror
Microsoft Surrenders IM War, Claims Security Risk
calibanDNS writes "The BBC is running an article about Microsoft surrendering in its instant messaging war with AOL. According to the article, the latest version of AOL's instant messaging software 'blocks interoperability by exposing a very serious security bug in its software.'"
MS would prefer it not be called a surrender, of course; see also the
Nando Times article
which hints at running arbitrary code on the client. Is this FUD, or will we carry a story next week about a new AOL IM exploit?
MS has some points, but it's blowing smoke on one issue. A single IM standard will not allow MS clients to communicate with AOL clients. The reason is simple: to communicate with AOL clients you need to use AOL servers. AOL has the right to prevent non-AOL subscribers from using it's servers. And if you think that's wrong, think about other servers. Your ISP has it's mail servers configured to prevent anyone but it's subscribers from using them to send mail. ISPs that don't end up on the RBL. They probably also have them configured to not handle mail from certain domains, typically to block incoming spam. They probably have their news servers configured similarly, so that only their subscribers can read news off of them. Why should IM servers be different?
A single standard would be neccesary, but if MS wants their subscribers to be able to talk to AOL's subscribers, they need to negotiate a contract with AOL to have AOL's servers carry MS's traffic. Which, to date, MS has shown no apparent interest in doing.
The AOL IM actually has a buffer overflow exploit present. Basically whenever an AOL client connected to the server, the server smashed the stack and executed a piece of code that would send a packet back to the server. This let AOL change the authentication on the fly without updating the client. Of course, it also opened up some security holes. This was discussed on bugtraq in August.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
Microsoft could keep their hands out of this.
My friends and I all have AIM.
Ok, if multiple vendors wish to put out various chat software, at least allow them to communicate with each other.
"Hey Bob, I thought you said you would be on AIM last night. I had to talk to you."
"Well, I tried the new Yahoo chat. It's cool. Only thing is, my wife Brenda likes eShare chat she just found."
WTF?
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
My concern is that AOL did not release a patch after this became public knowledge. Everybody knows there's a bug in that client. Sending executable code over the wire is never a good idea on something as woefully under-authenticated as tcp/ip. I have nothing but contempt for AOL - and I'm extremelly worried that they might do something equally stupid with other products - such as the AOL v5 client now shipping. How many buffer overflows does *that* thing depend on, or what is being sent over the wire that their customers are blithingly unaware of?
There are more serious questions to answer than the "buffer overflow" in the client. Where is the outrage over this? This should be prime time news!
--
Jakob Nielsen's article on Metcalfe's Law offers good insight on why the segregation of different AIM clients is a bad thing, and reduces the potential value of the network.
Metcalfe's Law states that "the value of a network grows by the square of the size of the network".
Reversing this law provides:
Note to Rob: We need SUB and SUP tags allowed in /.
pooptruck
http://www.ozemail.com.au/~geoffch/s ecurity/aim/
Describes the buffer overflow AOL is using in some pretty good detail. Here's the basic idea:
When AIM connects to the AOL server, the AOL server sends back a message containing x86 executable code. This overflows a buffer in the AIM client, and the code gets run. This code creates a packet to send back to the AOL server. If the AOL server doesn't see the packet, then it assumes you're not using AIM, and boots you.
What MS's client did was see the packet containing the code, and generate the reply message WITHOUT overflowing a buffer or executing that code. But, AOL can just tweak that code on the server a bit and have a different reply get generated, while MS's client has to get updated to use that new code.
Nevertheless, this is pretty damn reprehensible on the part of AOL. If they don't want MS customers using their servers, sue the shit outta M$, don't exploit holes in your own code to do it. You fix bugs, not exploit them.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
"There are no winners," he said. "Consumers will win when an industrywide instant messaging standard is in place that ensures all users the ability to message with others regardless of which service they're using."
-Yusuf Mehdi, director of marketing for Microsoft's Consumer and Commerce Group
I just love it when Microsoft talks about open standards. It just gives me that warm, embraced, cuddly, mushy, smothered feeling.
_______________________________
Actually, it's shaping up very fast. It's extremely close to our 0.7 rewrite, which modulerizes the system and make it much more scalable.
It's also the only system currently that will be able to support the IETF standard for an open namespace 'out of the box', simply becouse of it's design..
-- I'm the root of all that's evil, but you can call me cookie..