AOL Fixes Instant Messaging Breach
WASHINGTON — America Online said Thursday it had repaired a major security hole in its popular Instant Messenger program that could allow a hacker to take control of individual home computers.
“The issue was resolved early this morning and was handled on the server side, so users do not have to download anything or take any other action,” AOL spokesman Andrew Weinstein said. “To our knowledge, no users were affected by this issue prior to its resolution.”
The problem affected the newest as well as many earlier versions of AOL’s Instant Messenger program, which boasts more than 100 million users.
“You could do just about anything: delete files on the computer or take over the machine,” said Matt Conover, founder of the hackers’ group, “w00w00,” which claims more than 30 active members from 14 states and nine foreign countries.
Conover, who attends Utah State University, said the group found the problem several weeks ago but didn’t contact AOL until after Christmas. The group got no response from AOL to an e-mail sent during the holiday week, he said, so w00w00 released details--and a program that takes advantage of it--to public security mailing lists less than a week later.
The program released by w00w00 remotely shut down a user’s Instant Messenger program but could have been modified to do more sinister things.
That practice is under scrutiny by security professionals. While some independent researchers argue for a “full-disclosure” policy and say software vendors are trying to hide their mistakes, many companies say users are better protected if companies have time to react.
“I think that’s pretty dangerous,” said Chris Wysopal of the security company AtStake, “especially since they pretty much acknowledged that they hadn’t gotten a response back from AOL yet.”
Russ Cooper, who moderates a popular security mailing list and works for security firm TruSecure, said Conover’s action was irresponsible because it helped hackers.
“I think it’s better to provide details of the exploit and then let other people write the actual code,” Cooper said. “It lets the technical community have the information they need without letting idiots have the information they want.”
Also on Thursday, AOL acknowledged that it had increased a monthly fee by 50% for new customers signing up for e-mail and other services through rival Internet access providers.
The fee increase, to $14.95 a month, wasn’t announced when it took place several months ago, spokesman Jim Whitney said. About 5% of AOL’s more than 33million subscribers use the plan.