AOL scurries to fill AIM hole

The company pledges to close a security hole in its AOL Instant Messenger application that experts say could provide wiggle room for a widespread and destructive worm.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
AOL Time Warner on Wednesday pledged to close a security hole in its instant messenger application that experts say could provide wiggle room for a widespread and destructive worm.

AOL Time Warner said it would implement a server-side fix--meaning people will not have to download the patch--by week's end. The security bug affects AOL Instant Messenger (AIM) version 4.7 and the 4.8 beta, or test version. Only AIM users running Microsoft's Windows operating system are vulnerable.

"We've identified the issue and have developed a resolution that should be deployed in the next day or two," said an AOL representative in an interview over instant messenger. "To our knowledge, this issue hasn't affected any AIM users yet."

The AIM hole has surfaced at a period of heightened scrutiny of instant-messaging security. Although virus and worm authors have concentrated on e-mail as the preferred means of propagation, the rising popularity of instant messaging has made the technology an increasingly attractive target.

The issue came to light with the posting of an advisory by Matt Conover, a founding member of w00w00.org, which bills itself as an international nonprofit security team. Conover is also a double major in computer science and mathematics at Utah State University at Logan.

The advisory described the problem as a buffer overflow issue--one of the most common computer security glitches. The problem, which in this case affects AIM's game request function, occurs when an application crashes after being flooded with more code than it can accommodate. In a buffer overflow attack, maliciously written excess code can wind up being executed on the target computer.

In this case, Conover warned that the security hole left the door open for attackers to create a self-propagating worm that could rival the destructive Melissa, I Love You, Code Red and Nimda worms that exploited vulnerabilities in Microsoft's Outlook e-mail application and IIS Web server.

"An exploit could easily be amended to download itself off the Web, determine the buddies of the victim, and then attack them also," Conover's advisory warned. "Given the general nature of social networks and how they are structured, we predict that it wouldn't take long for such an attack to propagate."

Security experts pointed out that there have been previous vulnerabilities in IM products, but they said this was among the most serious identified to date. Instant messengers are considered a potentially dangerous delivery vehicle for worms because of their buddy lists, which offer a long list of potential new victims much like an e-mail address book.

"This could be used by someone to execute programs on a vulnerable system," said Elias Levy, chief technology officer of SecurityFocus. "A worst-case scenario could be a worm that used this vulnerability as an infection vector, and given the large population of users, the potential for damage is great. A lot of corporations allow their users to use instant messaging, so this vulnerability could be used to pierce corporate firewalls."

AIM is one of the Web's most popular applications, with more than 100 million registrations (one person can register any number of different AIM personas). A much smaller subset of that group is running version 4.7 and the 4.8 beta, but Conover used the 100 million figure to chastise AOL Time Warner for letting the buffer overflow hole slip through its quality-control process.

"The first implication is that AOL should feel the weight of responsibility and employ better software development practices," Conover wrote in his advisory.

"The developers of a product with so many users should be much more cautious and avoid overbloating with a multitude of features they didn't have time to properly test in the first place."

AOL Time Warner declined to comment on Conover's criticism.