Godlike Productions Banner
12:21 PM
Join Now, Free! (& No Ads) | FAQ | Links | Link to Us
 VOICE CHAT | VIDEO CHAT | GLP Radio! | Contact
ForumDiscussion TopicsAdvanced SearchMembers DirectoryNewsGallery
ForumTopicsAdv. SearchDirectoryNewsGallery

News


  Saturday, July 4, 2009  
  Breaking News     Back
AIM Hack Shows AOL Hasn't Patched Critical Security Hole

Wired

2007-12-05

Virginia-based AOL quietly issued a security fix to its AIM instant messaging system this week, after a security researcher demonstrated for Wired News that the company had failed to properly close a September security hole allowing hackers to gain complete control of any PC running the latest version of AIM.

"It could take over 60,000 computers in two days, but I don't want to," says 31-year-old programmer Michael Evanchik, who developed the new attack. "It's a pretty big hole. You don't even have to click anything."

The hack highlights a key difficulty for AOL as it attempts to compete with sites like Facebook and MySpace that feature their own instant messaging systems. AOL has responded by turning its popular AIM client into a multimedia portal, adding extra features that make it easier for hackers to attack the downloadable software.

In October, the company released AIM 6.5 partially to fix a critical vulnerability in how the software handles HTML code. But security experts criticized AOL at the time for rushing out a half-baked solution, and relying heavily on server-side filtering to try and prevent malicious code from traveling through AOL's network. Securing the client from this class of attack could require sacrificing some multimedia functionality.

Monday night's silent server-level patch demonstrates that those experts were right: The AIM 6.5 client remains vulnerable to the same fundamental weakness, potentially allowing malicious hackers to create a worm that infects thousands of users in a matter of hours.

"Instead of locking down the AIM client, they add filters in the server," says Aviv Raff, the security researcher who reported the original remote exploit in September, and who analyzed the newest attack for Wired News. "Filtering in the server will never be enough. It's like a cat and mouse game."

Raff said that as soon as AOL told him they fixed his September exploit, he quickly developed functioning variants himself -- an easy process since the company was essentially filtering by keywords.

AOL spokeswoman Erin Gifford , however, says all is well.

"We have taken steps to protect users from this known and reported issue," said Gifford, after Wired News reported the issue.

Evanchik said he was moved to develop the attack after an anonymous MySpace user began harassing his sister. He planned to use it to deliver a homemade key logger to the user's machine, though he says he hasn't done so.

His attack was a single line of JavaScript that performed two functions. First, it set up an error handler that would download and run a malicious file from the internet. Then it directed the AIM client to try and display a non-existent image from the web. Because the image link was broken, AIM 6.5 followed the error instructions and turned over the victim's computer to the attack.

AOL's response was to add Evanchik's specific attack string to the company's server-side filtering software. AOL says that's good enough, and it doesn't expect to see any more exploits.

"We feel confident we have gotten all the problem issues resolved," Gifford said.

  Email Article

  Discuss in the Forum

Back

 Valid HTML 4.01 Transitional



Disclaimer:
This website exists for entertainment purposes only. The reader is responsible for discerning the validity, factuality or implications of information posted here, be it fictional or based on real events. Moderators on this forum make every effort to review the material posted on this site however, it is not realistically possible for our small staff to manually review each and every one of the more than 5000 posts GodlikeProductions gets on a daily basis. The content of posts
on this site, including but not limited to links to other web sites, are the expressed opinion of the original poster and are in no way representative of or endorsed by the owners or administration of this website. The posts on this website are the opinion of the specific author and are not statements of advice, opinion, or factual information on behalf of the owner or administration of GodlikeProductions. This site may contain adult content and if you feel you might be offended by such content, you should log off immediately.

Not all posts on this website are intended as truthful or factual assertion by their authors. Some users of this website are participating in internet role playing, with or without the use of an avatar. NO post on this website should be considered factual information on face value alone. Users are encouraged to USE DISCERNMENT and do their own follow up research while reading and posting on this website. Godlikeproductions.com reserves the right to make changes to, corrections and/or remove entirely at any time posts made on this website without notice. In addition, Godlikeproductions.com disclaims any and all liability for damages incurred directly or indirectly as a result of a post on this website.

This site is provided "as is" without warranty of any kind, either expressed or implied. You should not assume that this site is error-free or that it will be suitable for the particular purpose which you have in mind when using it. In no event shall Godlikeproductions.com be liable for any special, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not advised of the possibility of damage, and on any theory of liability, arising out of or in connection with the use or performance of this site or other documents which are referenced by or linked to this site.

Some events depicted in certain posting and threads on this website may be fictitious and any similarity to any person living or dead is merely coincidental. Some other articles may be based on actual events but which in certain cases incidents, characters and timelines have been changed for dramatic purposes. Certain characters may be composites, or entirely fictitious.

We do not discriminate against the mentally ill!

Fair Use Notice:
This site may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. Users may make such material available in an effort to advance awareness and understanding of issues relating to civil rights, economics, individual rights, international affairs, liberty, science & technology, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C.Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.
For more information please visit:
http://www.law.cornell.edu/uscode/17/107.shtml

This Disclaimer is subject to change at anytime.

Mail Webmaster with questions or comments about this site.

Page generated in 0.001s (1 queries)