w00w00 --AOL msgr gets buffer overflowed

Anonymous nobody at remailer.privacy.at
Wed Jan 2 16:18:06 PST 2002


New Hole Could Hurt AOL Messenger

http://www.washingtonpost.com/wp-dyn/articles/A52687-2002Jan2.html

By D. Ian Hopper
   AP Technology Writer
Wednesday, January 2, 2002; 3:09 PM

   WASHINGTON  A security hole in AOL Time Warner's Instant Messenger program used by millions of users worldwide 
can let a hacker take full control of a victim's computer, according to security researchers and the company.

An AOL spokesman said the problem will be fixed soon, and users won't have to download anything.

"We have identified the issue and have developed a resolution that should be deployed in the next day or two," AOL's Andrew 
Weinstein said. "To our knowledge, this issue has not affected any users."

The problem affects newest versions as well as many earlier iterations of AOL's Instant Messenger program.

Discovered by a loose team of international researchers called 'w00w00,' the hole is a "buffer overflow," like the problem recently 
found in Microsoft's Windows XP.

By sending a stream of junk messages to the program, a hacker can overwhelm the software and make the victim's computer run 
any commands the hacker wants.

"You could do just about anything, (you could) delete files on the computer or take over the machine," w00w00 founder Matt 
Conover said.

Conover said w00w00 has over 30 active members from 14 states and nine countries. Until AOL's fix is released, Conover said, 
Instant Messenger users should restrict incoming messages to friends on their "Buddy List."

"It will at least keep someone from attacking you at random," Conover said, but it wouldn't help if the attack code is added to a 
virus that propagates without the victim's knowledge. AOL said it has not given its users any advice in the interim.

Conover said the group found the problem several weeks ago, but didn't contact AOL until after Christmas. The group didn't get 
any response from AOL through an e-mail during the holiday week, he said, so w00w00 released details  and a program that 
takes advantage of it  to public security mailing lists less than a week later.

The program released by w00w00 remotely shuts down a person's Instant Messenger program, but could be modified to do 
more sinister things.

That practice is under scrutiny by security professionals. While some independent researchers argue for a "full disclosure" policy 
and say software vendors are trying to cover up their mistakes, many companies say users are better protected if the company has 
time to react.

Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover's actions are 
irresponsible.

"I think it's better to provide details of the exploit and then let other people write the actual code," Cooper said. "Unfortunately, 
these are fundamentally naive people with a very childish view of the world."

Cooper said he let Conover send the information out through his mailing list, but only did so after noticing it was released through 
other channels as well.

Conover said w00w00 set a New Year's deadline for sentimental reasons, because it was the anniversary of the group's last 
major security release. He defended the disclosure of the attack program.

"This is the approach that w00w00 has historically taken to the problem," he said. "For us it means providing all the information 
we have available to the security community."

AOL's Weinstein said the company would have appreciated more warning.

"We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it," Weinstein 
said.





More information about the cypherpunks-legacy mailing list