-Caveat Lector-

Well, maybe AOL HELL, controllers should get their s**t together. After all
they own Time Warner, CNN and a good deal of the music rights of the
world's musicians, so why be offline during the holidays? You can afford it, or
is this a clue to the way the New World Order will work in the future? We
wonder.... --SW

Security hole in AOL Instant Messenger leaves computers vulnerable to
remote takeover

By D. IAN HOPPER, Associated Press

WASHINGTON (January 2, 2002 3:21 p.m. EST) - A security hole in AOL
Time Warner's Instant Messenger program used by millions of computer
users can let a hacker take control of a victim's computer, security
researchers and the company have said.

An AOL spokesman said the problem will be fixed soon, and users won't
have to download anything.

"We have identified the issue and have developed a resolution that should be
deployed in the next day or two," AOL's Andrew Weinstein said. "To our
knowledge, this issue has not affected any users."

The problem affects newest versions as well as many earlier iterations of
AOL's Instant Messenger program.

Discovered by a loose team of international researchers called 'w00w00,' the
hole is a "buffer overflow," like the problem recently found in Microsoft's
Windows XP.

By sending a stream of junk messages to the program, a hacker can
overwhelm the software and make the victim's computer run any commands
the hacker wants.

"You could do just about anything, (you could) delete files on the computer or
take over the machine," w00w00 founder Matt Conover said.

Conover said w00w00 has over 30 active members from 14 states and nine
countries. Until AOL's fix is released, Conover said, Instant Messenger users
should restrict incoming messages to friends on their "Buddy List."

"It will at least keep someone from attacking you at random," Conover said,
but it wouldn't help if the attack code is added to a virus that propagates
without the victim's knowledge. AOL said it has not given its users any advice
in the interim.

Conover said the group found the problem several weeks ago, but didn't
contact AOL until after Christmas. The group didn't get any response from
AOL through an e-mail during the holiday week, he said, so w00w00
released details - and a program that takes advantage of it - to public
security mailing lists less than a week later.

The program released by w00w00 remotely shuts down a person's Instant
Messenger program, but could be modified to do more sinister things.

That practice is under scrutiny by security professionals. While some
independent researchers argue for a "full disclosure" policy and say software
vendors are trying to cover up their mistakes, many companies say users are
better protected if the company has time to react.

Russ Cooper, who moderates a popular security mailing list and works for
security firm TruSecure, said Conover's actions are irresponsible.

"I think it's better to provide details of the exploit and then let other people
write the actual code," Cooper said. "Unfortunately, these are fundamentally
naive people with a very childish view of the world."

Cooper said he let Conover send the information out through his mailing list,
but only did so after noticing it was released through other channels as well.

Conover said w00w00 set a New Year's deadline for sentimental reasons,
because it was the anniversary of the group's last major security release. He
defended the disclosure of the attack program.

"This is the approach that w00w00 has historically taken to the problem," he
said. "For us it means providing all the information we have available to the
security community."

AOL's Weinstein said the company would have appreciated more warning.

"We'd encourage any software programmer that discovers a vulnerability to
bring it to our attention prior to releasing it," Weinstein said.
------------------------
"In little more than a year we have gone from enjoying peace and the most prosperous 
economy in our
history, to a nation plunged into war, recession and fear. This is a nation being 
transformed before
our very eyes."

http://www.truthout.com

Steve Wingate, Webmaster
ANOMALOUS IMAGES AND UFO FILES
http://www.anomalous-images.com

<A HREF="http://www.ctrl.org/";>www.ctrl.org</A>
DECLARATION & DISCLAIMER
==========
CTRL is a discussion & informational exchange list. Proselytizing propagandic
screeds are unwelcomed. Substance�not soap-boxing�please!  These are
sordid matters and 'conspiracy theory'�with its many half-truths, mis-
directions and outright frauds�is used politically by different groups with
major and minor effects spread throughout the spectrum of time and thought.
That being said, CTRLgives no endorsement to the validity of posts, and
always suggests to readers; be wary of what you read. CTRL gives no
credence to Holocaust denial and nazi's need not apply.

Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://peach.ease.lsoft.com/archives/ctrl.html
 <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of
[EMAIL PROTECTED]</A>

http:[EMAIL PROTECTED]/
 <A HREF="http:[EMAIL PROTECTED]/";>ctrl</A>
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]

To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]

Om

Reply via email to