AOL plugs AIM security hole

The company boards up an opening in its AOL Instant Messenger application that experts say could have provided wiggle room for a widespread and destructive worm.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
AOL Time Warner on Thursday plugged a security hole in its instant messenger application that experts say could have provided wiggle room for a widespread and destructive worm.

The company said it implemented a server-side fix, meaning that customers will not have to download the patch. As earlier reported, the security bug affected AOL Instant Messenger (AIM) version 4.7 and the 4.8 beta, or test version. Only AIM users running Microsoft's Windows operating system are vulnerable.

"No action has to be taken by users...and to our knowledge no users were affected by the issue," said AOL spokesman Andrew Weinstein.

The AIM hole surfaced at a period of heightened scrutiny of instant-messaging security. Although virus and worm authors have concentrated on e-mail as the preferred means of propagation, the rising popularity of instant messaging has made the technology an increasingly attractive target.

The issue came to light with the posting of an advisory by Matt Conover, a founding member of w00w00.org, which bills itself as an international nonprofit security team. Conover is also a double major in computer science and mathematics at Utah State University at Logan.

The advisory described the problem as a buffer overflow issue--one of the most common computer security glitches. The problem, which in this case affects AIM's game request function, occurs when an application crashes after being flooded with more code than it can accommodate. In a buffer overflow attack, maliciously written excess code can wind up being executed on the target computer.

Gartner analyst Richard Stiennon says AIM, the most popular instant messaging (IM) service, has seen rapid adoption rates among Gartner's corporate clients. But America Online did not design it and does not maintain it with the enterprise in mind.

see commentary

In this case, Conover warned that the security hole left the door open for attackers to create a self-propagating worm that could rival the destructive Melissa, I Love You, Code Red and Nimda worms that exploited vulnerabilities in Microsoft's Outlook e-mail application and IIS Web server.

"An exploit could easily be amended to download itself off the Web, determine the buddies of the victim, and then attack them also," Conover's advisory warned. "Given the general nature of social networks and how they are structured, we predict that it wouldn't take long for such an attack to propagate."

Security experts pointed out that there have been previous vulnerabilities in IM products, but they said this was among the most serious identified to date. Instant messengers are considered a potentially dangerous delivery vehicle for worms because of their buddy lists, which offer a long list of potential new victims much like an e-mail address book.

"This could be used by someone to execute programs on a vulnerable system," said Elias Levy, chief technology officer of SecurityFocus. "A worst-case scenario could be a worm that used this vulnerability as an infection vector, and given the large population of users, the potential for damage is great. A lot of corporations allow their users to use instant messaging, so this vulnerability could be used to pierce corporate firewalls."

AIM is one of the Web's most popular applications, with more than 100 million registrations (one person can register any number of different AIM personas). A much smaller subset of that group is running version 4.7 and the 4.8 beta, but Conover used the 100 million figure to chastise AOL Time Warner for letting the buffer overflow hole slip through its quality-control process.

"The first implication is that AOL should feel the weight of responsibility and employ better software development practices," Conover wrote in his advisory.

"The developers of a product with so many users should be much more cautious and avoid overbloating with a multitude of features they didn't have time to properly test in the first place."

AOL Time Warner declined to comment on Conover's criticism.

Staff writer Jim Hu contributed to this report.