AOL Dashes to Patch IM Security Hole
America Online has found a security hole in its popular messaging software that runs on the Windows operating system. A server side fix will be implemented within days, protecting users of versions 4.7 and 4.8 beta – two build that are currently vulnerable. A security advisory issued by Matt Conover, a researcher at the Web site w00w00.org identifies a buffer overrun issue in AIM's game request function that has the potential to give malicious users an all access pass to run arbitrary code on a target system.
Conover, a student at Utah State University, discovered the flaw in the code that parses a game request in AIM. According to Conover a self propagating worm similar to Melissa, ILOVEYOU, CodeRed, and Nimba could work its way through the buddy lists of AIM users be amended to dynamically download itself off the Web.
The exploit is achieved with some fairly simple coding, and can be crafted to deliver a creative payload left to the imagination of its author. There are in excess of 100 million users of AOL Instant Messenger, and no specific number of users who are left in the sights of hackers until AOL implements its patch can be determined. A sample of the exploit can be downloaded from w00w00.org.
Netscape users who have the inline version of AIM integrated into their browser, and non-Windows users are not at risk. An interim measure recommended by the researchers is to download and install Robbie Saunder's AIM Filter. Another step would be to edit the instant messenger's preferences to select the option to allow only users on your Buddy List to contact you.
Both Microsoft and AOL have recently implemented alerts and other enhanced services into their messaging clients. Critics claim that many of these features are un-needed and propose the risk for hightened security concerns. Microsoft maintains that instant messaging is a cornerstone technology of its vison for the .NET platform.
"The developers of a product with so many users should be much more cautious and avoid overbloating with a multitude of features they didn't have time to properly test in the first place," Conover wrote in his advisory. He also chimed in, "The first implication is that AOL should feel the weight of responsibility and employ better software development practices."