AOL’s AIM Still Has Overflow Bug

AOL Time Warner’s America Online unit still has a software problem with its AOL Instant Messenger (AIM), according to a security-research group. What’s more, the vulnerability — now being filtered by AOL and apparently no longer a threat — takes the same digital road as the one discovered last January, the group said.

The non-profit group w00w00 received information over the weekend that the vulnerability occurs from an overflow in the code that parses a request to run the “add external application” feature of AIM. The weakness allows a malicious hacker to remotely penetrate the victim’s system without any indication as to who is attacking. Also, an end-user cannot refuse the request.

All Windows-based AIM clients back to version 4.2, excluding beta versions, have the vulnerability. Non-Windows versions of AIM do not have the exposure, because those versions don’t support the “add external application” feature.

w00w00 is quick to point out that AOL appears to be filtering the problem on the server side, so the vulnerability doesn’t appear to exist anymore. AOL officials were not immediately available to confirm the filtering. An end-user doesn’t need to download anything to fix the problem when AOL applies server-side filters.

The first time around, the vulnerability enabled a malicious hacker to enter into a user’s system by overflowing the code that parses a game request in the “Play Game with Buddy” feature. That specific problem, too, was filtered by AOL on its own servers.

“A few simple modifications and it’s the same thing, all over again,” the group said. And that’s troubling to w00w00.

“The implications…leave the door wide open for a worm not unlike those that Microsoft Outlook, IIS, et al. have all had,” including Melissa, ILOVEYOU, CodeRed and Nimda, the group said. “An exploit could download itself off the Web, determine the buddies of the victim, and then attack them also. Given the general nature of social networks and how they are structured, we predict that it wouldn’t take long for such an attack to propagate.”

w00w00 last January even said that the vulnerability could be exploitable through other means, “but AOL has not released enough information about their protocol for us to be able to determine that.”

At the time, an AOL spokesperson said, “To our knowledge, the issue has not affected any AIM users.”

w00w00 is disappointed with the way AOL is going about dealing with the problem. “They are filtering the exploits rather than fixing the vulnerabilities,” the group’s Matt Conover said. “To make an analogy, it’s like changing the locks on the door when the door itself is broken.”

w00w00 also takes AOL to task for not making public a way to contact it when a security problem is discovered with one of its products. The person who originally found the “add external application” problem was not able to contact AOL about it — instead, w00w00 got in touch with AOL using information it gained after trying to report the January situation, only after the person contacted w00w00.

“Had AOL taken heed from the first time this happened, (this person) wouldn’t have had to reach out to us in order to report this egregious bug,” w00w00 says. “For that, we are disappointed, and once again insist that vendors NEED to make it easier to report vulnerabilities if they are at all interested in protecting their customers from less inhibited, malicious individuals.”

“In January we were criticized by AOL for not contacting them, and yet they still haven’t provided any public venues to report security problems,” Conover also says.

“Therefore, we recommend users–at least for now–switch to an Instant Messaging provider that has well-defined venues for reporting vulnerabilities,” says w00w00.

“We’ll have to wait and see how long it takes for someone to find another way around the filter,” the group added.

Conover says that AOL should “absolutely” be providing client-side fixes to the problem. “I think they need to make it thorough though, so they shouldn’t rush either,” he said.

“We are disappointed that more hasn’t been done,” he also said. “However, we have absolutely nothing against AOL. We approach vulnerabilities the same way with all companies.”

Bob Woods is the managing editor of InstantMessagingPlanet.

News Around the Web