August 20, 1999 Web posted at: 3:53 p.m. EDT (1953 GMT) by Matthew Nelson

From...

ALSO    Tribal Voice claims MSN Messenger compatibility    Sign up for the Computer Connection email service    For more computing stories  MESSAGE BOARDS:    Instant messaging wars    Microsoft

(IDG) -- Microsoft and an Internet security company say America Online has injected a security flaw into its own instant messaging software that could potentially put AOL's own users at risk.

The self-inflicted bug is the latest development in the instant messaging row between Microsoft and AOL that erupted last month when Microsoft released MSN Messenger Service, which competes with AOL Instant Messenger (AIM).

Robert Graham, chief technical officer of Network ICE, an independent intrusion detection and security company, uncovered a buffer overflow bug within the latest coding of AIM servers that would enable the systems to identify and block Microsoft users.

Network ICE develops intrusion detection applications to identify hacking attempts, including buffer overflow attacks.

"We logged into an AOL server using an AOL Messenger and did a capture of the traffic between a server and a client. During the log-in process I found what indeed was a buffer overflow exploit," Graham said.

The bug does not attack Microsoft clients attempting to gain access to AOL Instant Messaging servers, however, but instead affects AOL clients. When an AOL client logs onto an Instant Messaging server, the client will actually send back too much information, like a buffer overflow exploit, therefore identifying Microsoft Messaging clients that do not do so.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

"When an AOL client connects, the AOL server sends back more information than they expect," Graham said. "The buffer that they reserved was 256 bytes. For that buffer, what AOL sends is 256 bytes and then 24 bytes extra ... to overflow it."

An AOL representative would not comment on the specifics of the charge, saying the company did not want to tip its hand as to how it is "blocking Microsoft."

"Our members' security and privacy is our top priority," spokeswoman Tricia Primrose said. We are actively defending our members and our servers."

Graham said he didn't want to take sides between the two industry giants, but that it intends to protect its users from the AOL exploit being used surreptitiously by hackers who, Graham said, could pose as the AOL exploit to gain access to systems.

"[Hackers] could interpose themselves between the AOL server and the client and then change the AOL overflow to their own overflow that then breaks into the system," Graham said.

Microsoft would not comment on the issue.

Network ICE's BlackICE intrusion detection application has been updated to allow for the AOL exploit but to monitor for alterations to the original code, which might give away a hacker, according to Graham.

The issue first surfaced after a Microsoft employee, posing as software consultant "Phil Bucking," sent an e-mail detailing the AOL flaw to a software company executive. Microsoft spokesman Tom Pilla said last week that the employee, whom he wouldn't identify, had been reprimanded.

Matthew Nelson is a senior writer for InfoWorld.