- This topic has 0 replies, 1 voice, and was last updated 24 years, 2 months ago by
.
-
Posts
-
Reuters
January 3, 2002
By Elinor Mills Abreu
SAN FRANCISCO (Reuters) – Brushing back criticism, a 19-year-old Utah college student said on Thursday he revealed a security flaw in AOLŒs popular instant messaging service because when he tried to tell the media giant privately, he was ignored.
“We never expected it to get this much attention,” said Matt Conover, the college student and one of the founders of w00w00, which bills itself as the worldŒs largest non-profit security team with more than 30 members in about nine countries.
The security flaw identified by the group, which issued a report to security mailing lists, could allow a hacker to take control of computers through an advanced game-playing feature in certain versions of the AOLŒs Instant Messenger, or AIM.
The problem results when the application is flooded with more code than it can handle, triggering a so-called “buffer overflow” error and allowing extraneous code to be executed.
There are about 100 million registered AIM users, 29 million of which are active users, according to an industry report.
W00w00 revealed the flaw Wednesday morning on a security e-mail list and America Online had a fix ready by Thursday morning, prompting Conover to “commend AOLŒs quick response.”
But Andrew Weinstein, a spokesman for AOL, the Internet unit of AOL Time Warner Inc., criticized the group for failing to give AOL more time to evaluate and fix the flaw before announcing it to the public.
“Most software companies would strongly encourage programmers not to do that until they have notified the software company,” he said.
The company fixed the problem on its AIM server so users did not have to download a patch for their own computers or change their settings, according to Weinstein.
“It was resolved within 24 hours. We heard no reports from users that anyone was affected by it,” he said.
WAITED A WEEK
Conover said he sent an e-mail around Dec. 25 to several AOL e-mail addresses, including one listed on the AIM web site for reporting bugs.
He waited a week and when he heard nothing from AOL he announced the flaw and released a “proof of concept” to demonstrate the vulnerability, he said.
“No matter how long we waited we werenŒt going to hear back from them,” said Conover, who studies computer science and math at Utah State University in Logan, Utah. “I now have contacts at AOL.”
Another security expert called w00w00 “irresponsible” for releasing a demonstration of the exploit before giving AOL time to act, but said it was prudent to announce the flaw to warn users before a malicious hacker could take advantage of it.
“AOL makes it extremely difficult to get a hold of anybody for anything to do with security,” said Russ Cooper, surgeon general of TruSecure Corp. who runs the NTBugTraq e-mail list on which the AIM flaw was announced.
However, another expert said demonstrations of flaws are usually necessary to prove that the problem is legitimate.
“Unless you can produce an exploit the company will say itŒs a theoretical threat,” said Nicholas Weaver, a computer science graduate student at University of California Berkeley.
Conover and Weaver criticized software companies for writing programs that are heavy on features and rushed to market, and thus less secure — a complaint routinely leveled against Microsoft Corp.
“There needs to be more due diligence for the software engineering and development cycle,” said Conover. “There isnŒt enough attention (paid) to developing the product. It goes into meeting deadlines and adding features.”
- You must be logged in to reply to this topic.