ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

AOL's AIM gets bugged

August 20, 1999
Web posted at: 3:53 p.m. EDT (1953 GMT)

by Matthew Nelson

From...
InfoWorld
IM graphic

 ALSO
   Tribal Voice claims MSN Messenger compatibility

   Sign up for the Computer Connection email service

   For more computing stories

message board MESSAGE BOARDS:
   Instant messaging wars

   Microsoft

 

(IDG) -- Microsoft and an Internet security company say America Online has injected a security flaw into its own instant messaging software that could potentially put AOL's own users at risk.

The self-inflicted bug is the latest development in the instant messaging row between Microsoft and AOL that erupted last month when Microsoft released MSN Messenger Service, which competes with AOL Instant Messenger (AIM).

Robert Graham, chief technical officer of Network ICE, an independent intrusion detection and security company, uncovered a buffer overflow bug within the latest coding of AIM servers that would enable the systems to identify and block Microsoft users.

Network ICE develops intrusion detection applications to identify hacking attempts, including buffer overflow attacks.

"We logged into an AOL server using an AOL Messenger and did a capture of the traffic between a server and a client. During the log-in process I found what indeed was a buffer overflow exploit," Graham said.

The bug does not attack Microsoft clients attempting to gain access to AOL Instant Messaging servers, however, but instead affects AOL clients. When an AOL client logs onto an Instant Messaging server, the client will actually send back too much information, like a buffer overflow exploit, therefore identifying Microsoft Messaging clients that do not do so.
MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute
   

"When an AOL client connects, the AOL server sends back more information than they expect," Graham said. "The buffer that they reserved was 256 bytes. For that buffer, what AOL sends is 256 bytes and then 24 bytes extra ... to overflow it."

An AOL representative would not comment on the specifics of the charge, saying the company did not want to tip its hand as to how it is "blocking Microsoft."

"Our members' security and privacy is our top priority," spokeswoman Tricia Primrose said. We are actively defending our members and our servers."

Graham said he didn't want to take sides between the two industry giants, but that it intends to protect its users from the AOL exploit being used surreptitiously by hackers who, Graham said, could pose as the AOL exploit to gain access to systems.

"[Hackers] could interpose themselves between the AOL server and the client and then change the AOL overflow to their own overflow that then breaks into the system," Graham said.

Microsoft would not comment on the issue.

Network ICE's BlackICE intrusion detection application has been updated to allow for the AOL exploit but to monitor for alterations to the original code, which might give away a hacker, according to Graham.

The issue first surfaced after a Microsoft employee, posing as software consultant "Phil Bucking," sent an e-mail detailing the AOL flaw to a software company executive. Microsoft spokesman Tom Pilla said last week that the employee, whom he wouldn't identify, had been reprimanded.

Matthew Nelson is a senior writer for InfoWorld.



RELATED STORIES:
Why Microsoft hates AOL
August 11, 1999
EarthLink, MindSpring join AOL instant messaging
August 9, 1999
Instant message standards group toils on
August 4, 1999
Standoff persists in instant messaging duel
July 28, 1999
Instant messaging: Valuable tool or distraction?
July 13, 1999

RELATED IDG.net STORIES:
Instant messaging providers in access battle
(InfoWorld)
Who will rule instant messaging?
(PC World Online)
Corporate sites slow to use instant messaging due to security concerns
(Computerworld)
Instant messaging vendors square off
(InfoWorld Electric)
Microsoft, Yahoo seek standard for instant messaging
(Computerworld)
Novell, AOL to create joint instant messaging software
(Computerworld)
Instant messaging: Tool or temptation?
(Computerworld)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
America Online, Inc.
Network ICE
Microsoft Corp.
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.