AOL Fixes AIM Flaw

Student security experts w00w00 Security Development (WSD) say a buffer overflow in a new AOL Instant Messenger feature could leave Windows users open to destructive worms.

by Thor Olavsrud of internetnews.com [January 7, 2002]

AOL Time Warner Thursday applied a server-side patch to a security flaw in the 4.7 and 4.8 versions of its AOL Instant Messenger (AIM).

The fix plugs a hole that could potentially have allowed destructive Internet worms to infect AIM's 100 million+ users. Because the patch is a server-side fix, AIM users will not have to download it.

"To our knowledge, the issue has not affected any AIM users," AOL spokesman Andrew Weinstein told InternetNews.com Wednesday.

Information about the vulnerability first surfaced Wednesday with an advisory from the non-profit security research group w00w00 Security Development of what they call a "major security vulnerability" in the latest stable (4.7.2480) and beta (4.8.2616) versions of AOL Time Warner's AOL Instant Messenger (AIM) for Windows. AOL said AIM has more than 100 million users.

"This vulnerability will allow remote penetration of the victim's system without any indication as to who performed the attack," w00w00 Security Development (WSD) said Wednesday. "There is no opportunity to refuse the request. This does not affect the non-Windows versions, because the non-Windows versions currently do not yet support the feature that this vulnerability occurs in."

According to w00w00, the vulnerability is the result of an overflow in the code that parses a game request in the "Play Game with Buddy" feature.

"The implications of this vulnerability are huge and leave the door wide open for a worm not unlike those that Microsoft Outlook, IIS, et al, have all had," the w00w00 researchers said. "An exploit could easily be amended to download itself off the Web, determine the buddies of the victim, and then attack them also. Given the general nature of the social networks and how they are structured, we predict that it wouldn't take long for such an attack to propagate."

w00w00 noted that it is constrained by the Digital Millennium Copyright Act (DMCA) from providing a patch for the vulnerability. According to the DMCA, if a product is released in binary form only in order to protect its technologies (as AIM is), it is a violation to attempt to reverse engineer the file.

"Normally we would be inclined to provide a fix, but it is illegal to reverse engineer the AIM executable, so we are unable to provide a patch which will modify it," w00w00 said.

While waiting for AOL to fix the flaw, w00w00 said users could protect themselves with filtering software like Wicon Software's AIM Filter, available for free download.

w00w00 has posted the source code for the exploit on its website.

— End