nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AOL fixing Microsoft default settings

From: Chris Brenton <cbrenton () chrisbrenton org>
Date: 24 Oct 2003 08:31:04 -0400

On Fri, 2003-10-24 at 00:22, Jared Mauch wrote:

On Fri, Oct 24, 2003 at 12:13:59AM -0400, Sean Donelan wrote:

http://www.securityfocus.com/news/7278

How many other ISPs intend to follow AOL's practice and use their
connection support software to fix the defaults on their customer's
Windows computers?


      Sounds good to me.  The potential for these users
to be less-than-educated enough about the existance of
this "feature" means that the potential for this to
increase the overall network security is a good thing.


Does anyone know anything about what security has been put in place for
this? These quotes troubled me:

"So two weeks ago, AOL began turning the feature off on customers'
behalf, using a self-updating mechanism in AOL's software."
<snip>
"Users are not notified of the change..."

Is this "mechanism" an SSL connection? HTTP in the clear? AIM? Is it
exploitable?

I think the intention is admirable, but it has the potential to be a
real nightmare if implemented incorrectly. The fact that it can all
happen without the knowledge of the end user means even a savvy users
could get whacked if the underlying structure is insecure.

C
Previous By Date Next
Previous By Thread Next

Current thread: