TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert January 2, 2002 AOL Instant Messenger Remote Buffer Overflow Synopsis: Internet Security Systems (ISS) X-Force has learned of a remote buffer overflow vulnerability in the popular AOL Instant Messenger (AIM) software. An exploit for this vulnerability has been released publicly. This vulnerability may allow remote attackers to execute arbitrary commands on a victim�s system. The victim is unable to refuse the request or determine who initiated the attack. Affected Versions: AOL Instant Messenger versions 4.3 through 4.7.2480 for Windows AOL Instant Messenger version 4.8.2616 for Windows (beta) Note: AOL Instant Messenger versions prior to 4.3 have not been tested. Previous versions that contain the Games feature may also be vulnerable. Description: The AOL Instant Messenger program is used by over 100 million users to send messages, share and transfer files, talk over the Internet, check stock prices and headlines, and play games. A vulnerability exists in the code that processes game requests, which may allow attackers to execute arbitrary code on a remote AIM user�s system. The victim is not able to refuse the game request in order to block the exploit. This vulnerability is relatively easy to exploit, and the exploit can contain a large and complex payload. This is a serious vulnerability in a very widely used software product. If a worm like Code Red or Nimda were written to exploit this vulnerability, it would likely spread very rapidly, and could potentially damage both personal and business systems. Recommendations: ISS X-Force recommends that users upgrade to the latest version of AOL Instant Messenger as soon as a fix becomes available. Until a fixed version of AOL Instant Messenger is available, system administrators are encouraged to block "login.oscar.aol.com" and port 5190 at the firewall. This will prevent AIM users from logging in to the AIM service. ISS RealSecure intrusion detection customers may use the following connection event to detect access attempts by AOL Instant Messenger servers to AIM clients, including both normal connections and attempts to exploit this vulnerability. Follow the instructions below to apply the connection event to your policy. 1. Choose the policy that you want to use, and then click 'Customize'. 2. Select the 'Connection Events' tab. 3. In the right pane, click 'Add'. 4. Create a Connection Event. 5. Type in a name of the event, such as 'AIM_5190'. 6. In the 'Response' field for the event, select the responses you want to use. In the 'Protocol' field, select TCP. In the 'Src Port/Type' field, select the entry for AOL port 5190. Click 'OK'. 7. Save the changes, and then close the window. 8. Click 'Apply to Sensor' or 'Apply to Engine' depending on the version of RealSecure you are using. To reduce the risk from this vulnerability until a fixed version is available, AOL Instant Messenger users should block unknown users from contacting them using AIM. However, this will not provide complete protection, because users on your Buddy List can still contact you. If this vulnerability is built into a worm, this attack may come from users on your Buddy List without their knowledge. To block unknown users in AIM: 1. Go to My AIM -> Edit Options -> Edit Preferences. 2. In the left pane, select the Privacy category. 3. In the "Who can contact me" section, select "Allow only users on my Buddy List". Internet Scanner X-Press Update version 6.4 will be available for download at the following URL on January 3, 2002: http://www.iss.net/db_data/xpu/IS.php ISS X-Force will provide detection support for this vulnerability in an upcoming X-Press Updates for RealSecure Network Sensor. Detection support for this attack will also be added in a future update for BlackICE products. Additional Information: This vulnerability was discovered and released by w00w00. ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 9,000 customers worldwide including 21 of the 25 largest U.S. commercial banks, the top 10 U.S. telecommunications companies, and all major branches of the U.S. Federal Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBPDN9izRfJiV99eG9AQGKFwQAmc6GV3Nh20M9AOXvr8EfApV9YySTNlUl Glcq8/op/ZmY4ymqieHKR4SSNN0kK+0miYXGtpmViDQ/w0xbFOiaR9aHo16OaFpT WmsxwfHgSO60PVOfzg89snzrR9chb+HVbYQhLBSKkKPPCXRlUKkWzYdY6cvba4ZY QeYslPwYD9s= =7pFV -----END PGP SIGNATURE-----
