RE: Instant Messenger flaw fixed; hackers criticized for little warning

[InfoSec News <isn () c4i org>]

Forwarded from: McDonald Patrick <mcdonald_patrick () bah com>

Unbelievable, AOL writes poor code throughout not just one but several
versions of its Instant Messenger program and Ian Hopper portrays
w00w00 as the villain.  w00w00 provides AOL with free research and
exploit code and a week's worth of time to formulate any sort of
response.  If AOL had responded to the advisory to say they were in
the process of reviewing it, I could understand the outcry.  How does
long it take to send an email stating, we received your advisory,
someone will be contacting you with X days?  You can automate that. At
least then AOL could have pretended they made the attempt to patch
this quietly.

AOL is obligated to its customers to investigate problems, which
affect their security, not w00w00.  Matt Conover and company notified
people that they were vulnerable and provided assistance for those
wishing to protect themselves.  AOL did nothing of the sort of which I
am aware.  No notification on its home page or the instant messenger
download page were made.  AOL requires an email address to establish
an IM account.  As Jericho pointed with Microsoft, this could be used
to allow AOL to notify customers.

In fact, one could be led to wonder if AOL would have said anything if
w00w00 had gone public.  "AOL spokesman Andrew Weinstein said. 'To our
knowledge, no users were affected by this issue prior to its
resolution.'"  How would Andrew Weinstein know this?  We know from my
above paragraph that AOL did not contact any users about the
vulnerability.  How is Joe Snuffy user supposed to know that his
computer was hacked by an IM exploit?  What Andrew should have said
was its a good thing no one could trace hacks of machines because IM
back to us.

As for Matt Conover supplying exploit code, Russ Cooper needs to wake
up. Is Matt Conover the only person capable of writing the exploit?  
Highly unlikely.  Could Matt's program have aided script kiddies?  
More than likely.  Could Matt's program help computer users?  Most
assuredly.  It allows people to verify whether is advisory is correct
(how many times have we seen advisories that are outrageously wrong or
suffer from slight errors) and whether their systems are vulnerable
and later whether the patch worked. Hell AOL could have used it the
moment they received w00w00's email to prove they had a problem.  I am
sure AOL used it test IM once they patched it.

Thanks to those who read my little rant.  Feel free to send comments,
criticisms, and such. 

Pat


-----Original Message-----
From: owner-isn () attrition org [mailto:owner-isn () attrition org]On Behalf
Of InfoSec News
Sent: Friday, January 04, 2002 6:04 AM
To: isn () attrition org
Subject: [ISN] Instant Messenger flaw fixed; hackers criticized for
little warning


http://www.nandotimes.com/technology/story/209997p-2027064c.html

By D. IAN HOPPER, Associated Press

WASHINGTON (January 3, 2002 1:07 p.m. EST) - As AOL Time Warner
engineers opened their presents and spent time with their families, a
team of young hackers planned a holiday surprise: exposing a major
security hole in one of the company's flagship programs.

The international group released a program that turns AOL's Instant
Messenger into a key that could unlock many home computers. Now the
hackers are being criticized by security experts for not giving AOL
sufficient time to react.

The group, founded by a 19-year-old Utah college student, discovered a
security hole in AOL's Instant Messenger program that can let a hacker
take control of a victim's computer, the company confirmed Wednesday.

AOL fixed the problem at its central networks Thursday.

"The issue was resolved early this morning and was handled on the
server side, so users do not have to download anything or take any
other action," AOL spokesman Andrew Weinstein said. "To our knowledge,
no users were affected by this issue prior to its resolution."

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.