ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




AOL's AIM gets bugged

August 20, 1999
Web posted at: 3:53 p.m. EDT (1953 GMT)

by Matthew Nelson

IM graphic

   Tribal Voice claims MSN Messenger compatibility

   Sign up for the Computer Connection email service

   For more computing stories

message board MESSAGE BOARDS:
   Instant messaging wars



(IDG) -- Microsoft and an Internet security company say America Online has injected a security flaw into its own instant messaging software that could potentially put AOL's own users at risk.

The self-inflicted bug is the latest development in the instant messaging row between Microsoft and AOL that erupted last month when Microsoft released MSN Messenger Service, which competes with AOL Instant Messenger (AIM).

Robert Graham, chief technical officer of Network ICE, an independent intrusion detection and security company, uncovered a buffer overflow bug within the latest coding of AIM servers that would enable the systems to identify and block Microsoft users.

Network ICE develops intrusion detection applications to identify hacking attempts, including buffer overflow attacks.

"We logged into an AOL server using an AOL Messenger and did a capture of the traffic between a server and a client. During the log-in process I found what indeed was a buffer overflow exploit," Graham said.

The bug does not attack Microsoft clients attempting to gain access to AOL Instant Messaging servers, however, but instead affects AOL clients. When an AOL client logs onto an Instant Messaging server, the client will actually send back too much information, like a buffer overflow exploit, therefore identifying Microsoft Messaging clients that do not do so.
  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

"When an AOL client connects, the AOL server sends back more information than they expect," Graham said. "The buffer that they reserved was 256 bytes. For that buffer, what AOL sends is 256 bytes and then 24 bytes extra ... to overflow it."

An AOL representative would not comment on the specifics of the charge, saying the company did not want to tip its hand as to how it is "blocking Microsoft."

"Our members' security and privacy is our top priority," spokeswoman Tricia Primrose said. We are actively defending our members and our servers."

Graham said he didn't want to take sides between the two industry giants, but that it intends to protect its users from the AOL exploit being used surreptitiously by hackers who, Graham said, could pose as the AOL exploit to gain access to systems.

"[Hackers] could interpose themselves between the AOL server and the client and then change the AOL overflow to their own overflow that then breaks into the system," Graham said.

Microsoft would not comment on the issue.

Network ICE's BlackICE intrusion detection application has been updated to allow for the AOL exploit but to monitor for alterations to the original code, which might give away a hacker, according to Graham.

The issue first surfaced after a Microsoft employee, posing as software consultant "Phil Bucking," sent an e-mail detailing the AOL flaw to a software company executive. Microsoft spokesman Tom Pilla said last week that the employee, whom he wouldn't identify, had been reprimanded.

Matthew Nelson is a senior writer for InfoWorld.

Why Microsoft hates AOL
August 11, 1999
EarthLink, MindSpring join AOL instant messaging
August 9, 1999
Instant message standards group toils on
August 4, 1999
Standoff persists in instant messaging duel
July 28, 1999
Instant messaging: Valuable tool or distraction?
July 13, 1999

Instant messaging providers in access battle
Who will rule instant messaging?
(PC World Online)
Corporate sites slow to use instant messaging due to security concerns
Instant messaging vendors square off
(InfoWorld Electric)
Microsoft, Yahoo seek standard for instant messaging
Novell, AOL to create joint instant messaging software
Instant messaging: Tool or temptation?
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

America Online, Inc.
Network ICE
Microsoft Corp.
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.