October 5, 2001
A security flaw has been discovered in AOLs popular instant messaging program which, while not serious in and of itself, may be a sign of bigger security problems to come.
Notified this week by cyber-sleuths of vulnerability to crash attacks in its instant messaging (IM) program, AOL Time Warner (NYSE: AOL) is reportedly working on a fix. Experts say the security hole is not serious, but it could be a harbinger of IM security issues to come.
The vulnerability, discussed in security mailing lists and message boards since late last month, allows someone to send a message that crashes AOL Instant Messenger (AIM).
SecurityFocus chief technology officer Elias Levy told NewsFactor Network that the hole is not a major threat, but that its existence highlights the fact that instant messaging, used widely in the corporate world, has largely been overlooked from a security standpoint.
"In the greater scheme of things, its not very serious," Levy said. "This is probably just a sign of other vulnerabilities that might be out there. You can think of it as being the tip of the iceberg."
A program called as "AIMrape," reportedly produced as proof-of-concept code, can exploit the security bug and cause the AIM system to crash when a user receives it. Levy said that all AIM users could potentially be affected, adding that the vulnerability may be well known to hackers.
"Its a parsing problem within AOLs instant messaging system," Levy told NewsFactor. "Certain types of messages will cause the AOL instant messaging program to crash. At this time, it seems to be a denial of service (DOS) attack on this program."
Levy said the exploit does not allow access to computer files or execute arbitrary code, adding: "You can crash IM, but you can restart it and youre back in business."
Levy said that AOL is probably working on a patch for the problem, but added that instant messaging, like other computer applications, is driven by features more than by security.
Levy said that unlike e-mail, instant messaging is a relatively new application and, with ever-changing features and functionality, it is susceptible to security gaps.
"I dont think people have really taken a hard look at instant messaging programs," he said. "I think most people use it for the functionality and dont really think about the risks."
Added Levy: "The quality of development and a lack of history makes it likely that youll have security vulnerabilities there."
Levy said while corporations may think that instant messaging between two users inside the company does not expose them to threats, IM communication still flows unencrypted through central servers.
"It pierces your firewall, and not enough people have taken a look at the security of instant messaging programs," he said. "It could possibly be a back door to the network sometime in the future if more serious vulnerabilities are found."
Interoperability Would Help
Instant messaging has been the focus of a heated interoperability debate between AOL and other technology players, including Microsoft (Nasdaq: MSFT), as well as Yahoo! (Nasdaq: YHOO), which formed a group called IM Unified and criticized AOLs interoperability efforts with IBM in August.
Levy told NewsFactor that interoperability among IM systems could help improve security with uniform standards.
"It makes it easier to verify fewer flaws," Levy said, adding that AOL has actually used a buffer overflow flaw in its product to keep AIM from working with other IM programs.
"Thats a bad sign," he said. "It just goes to show there are security problems in these products."
There are currently 1 users browsing this thread. (0 members and 1 guests)