Administrivia & AOL IM Advisory

2000-12-13T00:00:00
ID SECURITYVULNS:DOC:1055
Type securityvulns
Reporter Securityvulns
Modified 2000-12-13T00:00:00

Description

At least another author of security bulletins decided to go a similar route as Microsoft did with their email security notices. Last week @Stake, the company that acquired the L0pht, posted to the list a security notice that consisted of a title, affected products, a link to their web advisory and little more. At the time I refused to approve the message.

In what they view as a compromise they decided to change their email notices to include more information. Bellow you can find the message @Stake sent regarding vulnerabilities in AOL's Instant Messenger. That difference between it and the version on their web site is that the email version lacks the Detailed Description and Solutions section of the advisory. Please review the attached advisory and the web version.

After some discussion I still don't understand the reasoning behind the change. I am told it is because they wish to maintain control over the information they publish.

>From my point of view such change does not benefit the BUGTRAQ subscribers. I understand some folks may wish to receive a short summary of the vulnerability with a link were to find more information, but historically in BUGTRAQ we like people to publish as much information and as detailed information as possible.

BUGTRAQ is more than just an announcement mailing list, its a discussion list (even if some of that has been cut down in recent years). Putting aside the arguments that some people may be able to get email but not access the web and the fact that its a nuisance to have to open your browser instead of reading the information in the the message you have in front of you, this change breaks the continuity of discussion in the list.

Such change means that after you read the web version of the advisory to obtain the technical details if you want to comment on it you must now copy and paste the relevant part of the advisory into a new message instead of simply hitting the 'reply' key.

Imagine if all advisory publishers decided to make this change. I fear such change would create friction that would diminish valuable discussion on the list and erode the BUGTRAQ community.

The folks at @Stake and L0pht have done a lot of the security community. Maybe my fears are unfounded and I am making of this more than it really is.

With this in mind I'd like to ask you, the list subscribers, for your opinion. Is the new format proposed by @Stake, which includes a summary and vendor response section and a link to their web site for further information but not a detailed explanation and solutions section, sufficient and I should approve such messages? Yes/No?

Please reply to me and not to the mailing list. Please respond whether you feel one way or the other.

Their advisory:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                        @stake Inc.
                      www.atstake.com

               Security Advisory Notification

Advisory Name: Multiple Vulnerabilities in AOL Instant Messenger Release Date: 12/12/2000 Application: AOL Instant Messenger versions prior to 4.3.2229 Platform: Windows 2K (9x, NT likely, Others unknown) Severity: There are several buffer overflows that can result in execution of arbitrary code. Authors: Dildog [dildog@atstake.com] Dave Aitel [daitel@atstake.com] Patrick Upatham [pupatham@atstake.com] Vendor Status: vendor has fixed version available Reference: www.atstake.com/research/advisories/2000/a121200-1.txt

Overview:

AOL Instant Messenger (AIM) is a popular messaging client for Windows, with over 64 million users according to 'http://www.aol.com/aim/home.html'. AIM ships by default with current versions of the Netscape Communicator web browser, as well as a standalone download.

There exist application weaknesses that allow these machine with AIM installed to be remotely taken over by external attackers. It is important to note that you do not need to be running AIM but merely have it installed to be vulnerable. We include URLs in our detailed description that you can use to check if you are vulnerable.

Scenarios such as receiving malicious HTML e-mail or visiting a malicious web site have been shown in our labs to enable the execution of arbitrary code on a vulnerable target machine.

This potentially places environments using the AOL Instant Messenger at grave risk. As these vulnerabilities are a result of client-initiated communications, most corporate firewall configurations do not guard these environments from attack.

Should a vendor patch not be available or not function to the needs of your particular environment, we offer several alternative measures in this advisory to help mitigate portions of this risk.

Vendor Response:

We initially contacted AOL on 11/22/2000 regarding this issue. They have a fixed version, 4.3.2229, dated 12/6/2000 available now. We appreciate their timely response. Here is their reply:

Thank you for your report concerning AOL Instant Messenger. We were aware of the situation you described and are already QA'ing a refresh client that resolves the issue. The refresh version of the AOL Instant Messenger is expected to be posted within the week and will be available for download at

http://www.aol.com/aim/home.html.

We appreciate your efforts to inform us of your findings.

Advisory Reference:

http://www.atstake.com/research/advisories/2000/a121200-1.txt

The advisory contains additional information not included in this advisory notification. The advisory contains the detailed description and solutions to the vulerability. All vulnerablity database maintainers should reference the above advisory reference URL to refer to this advisory.

For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: PGP 7.0

iQA/AwUBOjZcplESXwDtLdMhEQIQ+QCfV86iwKyyqcElaLFz2IzVshUmyn0An3mf qwqnoEmehV1G488lH0j6YyoG =UQKb -----END PGP SIGNATURE-----

-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum