Administrivia & AOL IM Advisory

[Elias Levy <aleph1 () SECURITYFOCUS COM>]

At least another author of security bulletins decided to go a similar
route as Microsoft did with their email security notices. Last week
@Stake, the company that acquired the L0pht, posted to the list
a security notice that consisted of a title, affected products,
a link to their web advisory and little more. At the time I refused
to approve the message.

In what they view as a compromise they decided to change their email
notices to include more information. Bellow you can find the message
@Stake sent regarding vulnerabilities in AOL's Instant Messenger.
That difference between it and the version on their web site is that
the email version lacks the Detailed Description and Solutions section
of the advisory. Please review the attached advisory and the web
version.

After some discussion I still don't understand the reasoning behind
the change. I am told it is because they wish to maintain control
over the information they publish.

> From my point of view such change does not benefit the BUGTRAQ
subscribers. I understand some folks may wish to receive a
short summary of the vulnerability with a link were to find
more information, but historically in BUGTRAQ we like people to
publish as much information and as detailed information as possible.

BUGTRAQ is more than just an announcement mailing list, its a
discussion list (even if some of that has been cut down in recent
years). Putting aside the arguments that some people may be able
to get email but not access the web and the fact that its a nuisance
to have to open your browser instead of reading the information in the
the message you have in front of you, this change breaks the continuity
of discussion in the list.

Such change means that after you read the web version of the advisory
to obtain the technical details if you want to comment on it you
must now copy and paste the relevant part of the advisory into a
new message instead of simply hitting the 'reply' key.

Imagine if all advisory publishers decided to make this change.
I fear such change would create friction that would diminish
valuable discussion on the list and erode the BUGTRAQ community.

The folks at @Stake and L0pht have done a lot of the security
community. Maybe my fears are unfounded and I am making of this
more than it really is.

With this in mind I'd like to ask you, the list subscribers, for
your opinion. Is the new format proposed by @Stake, which includes
a summary and vendor response section and a link to their web site
for further information but not a detailed explanation and
solutions section, sufficient and I should approve such messages?
Yes/No?

Please reply to me and not to the mailing list. Please respond whether
you feel one way or the other.

Their advisory:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                            @stake Inc.
                          www.atstake.com

                   Security Advisory Notification

Advisory Name: Multiple Vulnerabilities in AOL Instant Messenger
 Release Date: 12/12/2000
  Application: AOL Instant Messenger versions prior to
               4.3.2229
     Platform: Windows 2K (9x, NT likely, Others unknown)
     Severity: There are several buffer overflows that can
               result in execution of arbitrary code.
      Authors: Dildog [dildog () atstake com]
               Dave Aitel [daitel () atstake com]
               Patrick Upatham [pupatham () atstake com]
Vendor Status: vendor has fixed version available
    Reference: www.atstake.com/research/advisories/2000/a121200-1.txt


Overview:

AOL Instant Messenger (AIM) is a popular messaging client for Windows,
with over 64 million users according to
'http://www.aol.com/aim/home.html'. AIM ships by default with current
versions of the Netscape Communicator web browser, as well as a standalone
download.

There exist application weaknesses that allow these machine with AIM
installed to be remotely taken over by external attackers. It is important
to note that you do not need to be running AIM but merely have it installed
to be vulnerable.  We include URLs in our detailed description that you
can use to check if you are vulnerable.

Scenarios such as receiving malicious HTML e-mail or visiting a malicious
web site have been shown in our labs to enable the execution of arbitrary
code on a vulnerable target machine.

This potentially places environments using the AOL Instant Messenger at
grave risk. As these vulnerabilities are a result of client-initiated
communications, most corporate firewall configurations do not guard these
environments from attack.

Should a vendor patch not be available or not function to the needs of
your particular environment, we offer several alternative measures in this
advisory to help mitigate portions of this risk.


Vendor Response:

We initially contacted AOL on 11/22/2000 regarding this issue. They have a
fixed version, 4.3.2229, dated 12/6/2000 available now.  We appreciate
their timely response. Here is their reply:

 Thank you for your report concerning AOL Instant Messenger.  We were
 aware of the situation you described and are already QA'ing a refresh
 client that resolves the issue.  The refresh version of the AOL Instant
 Messenger is expected to be posted within the week and will be available
 for download at

 http://www.aol.com/aim/home.html.

 We appreciate your efforts to inform us of your findings.


Advisory Reference:

http://www.atstake.com/research/advisories/2000/a121200-1.txt

** The advisory contains additional information not included in this
** advisory notification.  The advisory contains the detailed description
** and solutions to the vulerability.
**
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.


For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.




-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOjZcplESXwDtLdMhEQIQ+QCfV86iwKyyqcElaLFz2IzVshUmyn0An3mf
qwqnoEmehV1G488lH0j6YyoG
=UQKb
-----END PGP SIGNATURE-----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum