-Caveat Lector- ----- Original Message ----- From: <RoadsEnd@...> > > YOU'VE BEEN HACKED AOL/Time Warner announced that its Instant Message software has a security hole. AOL is warning its users that the hole can allow hackers to take complete control of their systems. AOL is promising a fix for the security breach.
--- More on this with temporary solutions until AOL creates a fix: from - http://www.w00w00.org/advisories/aim.html AOL Instant Messenger (AIM) has a major security vulnerability in the latest stable (4.7.2480) and beta (4.8.2616) Windows versions. This vulnerability will allow remote penetration of the victim's system without any indication as to who performed the attack. There is no opportunity to refuse the request. This does not affect the non-Windows versions, because the non-Windows versions currently do not yet support the feature that this vulnerability occurs in. This particular vulnerability results from an overflow in the code that parses a game request. The actual overflow appears to be in the parsing of TLV type 0x2711. This may be more generic and exploitable through other means, but AOL has not released enough information about their protocol for us to be able to determine that. Robbie Saunder's email yesterday should be enough of a hint which direction to look in. We recommend Robbie Saunder's AIM Filter ( http://www.ssnbc.com/wiz ) to protect yourselves. A temporary solution is to go into your Preferences and in the Privacy section click "Allow Only Users on My Buddy List" under "Who can contact me." UPDATES: 1. AOL will be fixing this in the server side within a day or two. 2. Versions dating back to at least AIM 4.3 are vulnerable 3. Inline AIM in Netscape is not vulnerable IMPLICATIONS AOL Instant Messenger ( http://www.aim.com ) has over 100 million users. The implications of this vulnerability are huge and leave the door wide open for a worm not unlike those that Microsoft Outlook, IIS, et al. have all had (Melissa, ILOVEYOU, CodeRed, nimda, etc.). An exploit could easily be amended to download itself off the web, determine the buddies of the victim, and then attack them also. Given the general nature of social networks and how they are structured, we predict that it wouldn't take long for such an attack to propagate. more at - http://www.w00w00.org/advisories/aim.html --- from - http://www.ananova.com/yournews/story/sm_486257.html AOL rushes to fix hole in Instant Messenger AOL has confirmed it is rushing to fix a security hole in its Instant Messenger program. The move comes after a group of researchers identified the flaw and publicised it online. The hole - found in the Windows version of the program - can let a hacker take full control of a victim's computer. An AOL spokesman confirmed the existence of the problem, but said so far no users have been affected. He added that a fix "should be deployed in the next day or two." The research team behind the discovery - dubbed w00w00 - said the hole is a buffer overflow, similar to the problem recently found in Microsoft's Windows XP. They say a hacker can use it to take control of a victim's computer by sending a stream of junk messages to the program. W00w00 founder Matt Conover said the group discovered the problem several weeks ago, but didn't contact AOL until Christmas week. He claims an email outlining the problem failed to elicit a response. Their move to go public - accompanied by the release of a home-made patch - a week later has already been criticised by independent experts. Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said the actions are irresponsible. But Conover defended the disclosure, arguing that the group's approach "means providing all the information we have available to the security community." Story filed: 11:16 Thursday 3rd January 2002 <A HREF="http://www.ctrl.org/";>www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance�not soap-boxing�please! These are sordid matters and 'conspiracy theory'�with its many half-truths, mis- directions and outright frauds�is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/";>ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
