AOL's AIM Puts Browser Security in Danger

[InfoSec News <isn () c4i org>]

http://www.internetnews.com/dev-news/article/0,,10_1014151,00.html

By Bob Woods 
April 23, 2002 

Attention AOL AIM users -- you've got a pushy program.

The installation process of AIM on a PC covertly forces Microsoft
Internet Explorer (IE) browsers to accept "Welcome to America Online"  
at free.aol.com as a "Trusted site," according to an article in
Security Wire Digest.

Automatically designating the free.aol.com site as a Trusted site
allows AOL to install cookies and even run code on a user's PC without
their knowledge. A Web site in Internet Explorer's Trusted sites zone
contain "sites you believe you can download or run files from without
worrying about damage to your computer or data," according to the IE's
Help file on Trusted zones. "The default security level for the
Trusted sites zone is Low, therefore, Internet Explorer will allow all
cookies from Web sites in this zone to be saved on your computer and
read by the Web site that created them."

What's more, when a Web site is in the trusted zone, the user is not
alerted when a cookie or file is downloaded to a user's PC.

InstantMessagingPlanet confirmed the compromise on one of our own PCs.

Rich Mogull, a senior analyst at Gartner Group's Gartner G2's growth
strategies practice, says AOL's action violated all three elements of
trust: intent (the desire to operate within the boundaries of an
agreement), capability (the ability to fulfill the intent) and
communication (the ability to instill belief in these abilities within
the consumer/business partner).

"Businesses that allow the use of AOL Instant Messenger are also
forced to trust AOL servers, despite whatever security and privacy
settings (those businesses) have in place," Mogull said. "By forcing
browsers to trust AOL, it violates the boundaries of the users'
understanding of the relationship ... By making these changes without
notifying the user, AOL has failed to communicate either intent or
capability."

AOL's practice is particularly troubling, Mogull said, since it is
vulnerable to an insidious and well-known cyber attack known as
"cross-site scripting," which allows an attacker to inject malicious
code onto a system by hiding it as legitimate code from free.aol.com.

GartnerG2 (and InstantMessagingPlanet) recommends that companies
carefully evaluate their policies on employee use of downloaded
software and services. They should also employ security mechanisms to
limit the damage that unapproved trust relationships may cause. And a
company's IT staff should evaluate terms and conditions for any free
or commercial off-the-shelf software used within the enterprise.

Also, AOL's action can be undone directly from the IE browser. To
start the process, a user should go to the Tools menu and select
"Internet Options." By clicking on the "Security" tab, highlighting
"Trusted sites" and then clicking on the "Sites" button, a list of
Trusted sites appears. Highlighting the "free.aol.com" site and
clicking "Delete" rids the browser and the user's PC of the security
problem.

AOL officials were not immediately available for comment on this
story.

Security Wire Digest also reported earlier this month that a new
IM-based worm is gaining ground by offering "free porn." The worm,
which the publication called "low-risk," is spread by both AIM and IRC
clients, is called W32.Aphex@mm or W32.Aplore@mm. It spreads in the
chat window area by a hyperlink that consists of a single period with
an attachment named psecure20x-cgi-install.version6.01.bin.hx.com.

If a user runs the program it drops a Visual Basic (.vbs) script and
then uses standard techniques to mass-mail itself to all addresses in
the user's Microsoft Outlook address book. The worm also connects to
some IRC channels and attempts to infect IRC users. Blocking .com
attachments in a user's IM client can help mitigate the risk, and the
worm doesn't carry a destructive payload.

Bob Woods is the managing editor of InstantMessagingPlanet.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.