Security trips up instant messaging

Both MSN Messenger and AIM have had security holes uncovered recently, and experts say that Yahoo IM is requiring people to run with less security. What's going on?

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Matt Conover worries that malicious Net users may know something about instant messaging that he doesn't.

Related story
Open IM cries fade

The three majors are
doing fine on their own.

The hacker and security expert, who specializes in finding holes in instant messaging clients, publicized a flaw in AOL Time Warner's messaging application a week ago. Because he gave the company advance warning, AOL had fixed the problem and people remained secure.

It's the bugs that AOL and its rivals don't know about that worry Conover.

"There are people out there that know about holes, and they aren't telling," Conover, who hunts bugs with security group w00w00 and works for network-protection company Entercept Security Technologies, said at the recent CanSecWest conference in Vancouver, British Columbia.

As instant messaging has rapidly become a fixture in desktop computing, security mavens have focused more closely on the security problems posed by the relatively young application. So far, it's not a pretty picture. In the past week, security experts have found flaws in AOL Time Warner's Instant Messenger and in a component installed by the Microsoft Network's Messenger application.

"It's just more bad application security," said Marc Maiffret, chief hacking officer for network consultancy eEye Digital Security, the company that found last week's MSN Messenger flaw. "The flaws that have been out there--they're still suffering from buffer overflows and stuff."

Yahoo's instant messaging application hasn't escaped flaws either. A requirement that Yahoo IM users configure Internet Explorer to accept scripts from all domains on the Web opens up a security hole that hackers and worms could use to infect systems, CNET News.com discovered. Scripting, such as JavaScript and Active Scripting, is added to Web pages for interactivity and to extend functionality, such as adding database access. However, malicious Web pages and viruses can use a browser's scripting features as a pathway to the user's PC.

Yahoo maintains that allowing scripting is the norm for today's Internet users. The company believes "JavaScript can be employed while still providing a safe and rich experience for our users," said Yahoo spokeswoman Mary Osako. "The vast majority of Internet users have JavaScript enabled as part of their default setting."

Yet by directing users to accept scripts from the entire Internet, rather than just from the servers that need to send scripts to make the "rich" features of instant messaging work, Yahoo puts users in additional peril.

"Such settings aren't the best security practices," said Vincent Weafer, director of security response for antivirus software company Symantec. "Now my browser is in open mode, and I'm in danger of being infected from a malicious Web site."

The Nimda worm took advantage of just such a hole. Once the worm infected a Web server, it attempted to add JavaScript to every home page on the server. Visitors to the sites could be infected if their computer ran the script.

"There certainly haven't been too many active exploits of JavaScript," said Symantec's Weafer. "It's not a huge problem, but it's certainly a risk that you are running on your machine."

Reiterating Yahoo's focus on security, Osako said the company's security team would take another look at the issue.

Jeremie Miller, creator of the Jabber instant messaging system, blames the lack of a remedy on the cutthroat competition between the IM service providers and their desire to keep their competitors out rather than focusing on adding security to their IM protocols.

"These systems aren't hard to secure at all," Miller said. "However, security doesn't seem to be their goal; they're just trying to create a service."

The open-source Jabber has slowly grown to become a messaging protocol used by several large companies, such as Walt Disney, as well as by the open-source community. However, like other independent instant messaging services, Jabber frequently finds itself blocked from sending messages to the users of other systems.

Miller also said that the closed systems created by Yahoo, Microsoft and AOL tend to lead to less attention to development, and thus to more bugs. Jabber, on the other hand, being open source, has had a lot of criticism.

"When you are dealing with internally developed protocols and systems, you are dealing with obscure dark corners," Miller said. "In the process of developing any open protocol, any open standard, there is a lot more scrutiny."