AOL Instant Messenger is always going to be a security risk for companies.
AIM, the most popular instant messaging (IM) service, has seen rapid
adoption rates among Gartner's corporate clients. But America Online did not design it
and does not maintain it with the enterprise in mind. AIM suffers outages
and provides very little assurance of privacy as messages and other
information traverse AOL's networks.
See news story:
AOL plugs AIM security hole
The newly discovered buffer-overflow vulnerability raises the specter of a worm causing damage to desktop machines within a company. A multiheaded payload could then propagate over the corporate network via shared files and corporate e-mail. In the past, other vulnerabilities in AIM typically have allowed the hijacking of screen names.
As used today IM presents several security problems:
Information leakage. In other words, IM creates a communication channel that the company can't control by traditional means available at the firewall or the mail gateway.
Legal exposure. This problem arises when employees use IM to make comments that they feel may be "off the record" but are actually stored locally or on a server, and thus may be discoverable in a legal investigation.
Identity masquerading. This problem is possible if someone spoofs a screen name, sends messages out under another person's name and thereby causes havoc with relationships inside the company.
Today, most companies struggle to devise the best policy regarding IM. As with any means of communication, instant messaging provides productivity gains to the extent that workers can more easily share information and collaborate. At the same time, workers can misuse this conduit and turn it into a distraction. Enterprises that decide to restrict IM usage face the task of blocking specific ports and IP addresses used by the major services. It is difficult to block because it communicates with AOL servers through port 80, which is open through most firewalls to allow Web browsing.
Gartner recommends that all AIM users change their privacy settings to "accept messages from buddies only."
(For a related commentary on instant-messaging security problems, see Gartner.com.)
Entire contents, Copyright © 2002 Gartner, Inc. All rights reserved. The information contained herein represents Gartner's initial commentary and analysis and has been obtained from sources believed to be reliable. Positions taken are subject to change as more information becomes available and further analysis is undertaken. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of the information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof.