AOL's AIM gets bugged
(IDG) -- Microsoft and an Internet security company say America Online has injected a security flaw into its own instant messaging software that could potentially put AOL's own users at risk.
The self-inflicted bug is the latest development in the instant messaging row between Microsoft and AOL that erupted last month when Microsoft released MSN Messenger Service, which competes with AOL Instant Messenger (AIM).
Robert Graham, chief technical officer of Network ICE, an independent intrusion detection and security company, uncovered a buffer overflow bug within the latest coding of AIM servers that would enable the systems to identify and block Microsoft users.
Network ICE develops intrusion detection applications to identify hacking attempts, including buffer overflow attacks.
"We logged into an AOL server using an AOL Messenger and did a capture of the traffic between a server and a client. During the log-in process I found what indeed was a buffer overflow exploit," Graham said.
The bug does not attack Microsoft clients attempting to gain access to AOL Instant Messaging servers, however, but instead affects AOL clients. When an AOL client logs onto an Instant Messaging server, the client will actually send back too much information, like a buffer overflow exploit, therefore identifying Microsoft Messaging clients that do not do so.
"When an AOL client connects, the AOL server sends back more information than they expect," Graham said. "The buffer that they reserved was 256 bytes. For that buffer, what AOL sends is 256 bytes and then 24 bytes extra ... to overflow it."
An AOL representative would not comment on the specifics of the charge, saying the company did not want to tip its hand as to how it is "blocking Microsoft."
"Our members' security and privacy is our top priority," spokeswoman Tricia Primrose said. We are actively defending our members and our servers."
Graham said he didn't want to take sides between the two industry giants, but that it intends to protect its users from the AOL exploit being used surreptitiously by hackers who, Graham said, could pose as the AOL exploit to gain access to systems.
"[Hackers] could interpose themselves between the AOL server and the client and then change the AOL overflow to their own overflow that then breaks into the system," Graham said.
Microsoft would not comment on the issue.
Network ICE's BlackICE intrusion detection application has been updated to allow for the AOL exploit but to monitor for alterations to the original code, which might give away a hacker, according to Graham.
The issue first surfaced after a Microsoft employee, posing as software consultant "Phil Bucking," sent an e-mail detailing the AOL flaw to a software company executive. Microsoft spokesman Tom Pilla said last week that the employee, whom he wouldn't identify, had been reprimanded.
Matthew Nelson is a senior writer for InfoWorld.
Why Microsoft hates AOL
RELATED IDG.net STORIES:
Instant messaging providers in access battle
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.