Bugtraq mailing list archives
AOL Instant Messanger Bug
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 24 Feb 1998 15:02:32 -0600
http://www.news.com/News/Item/0,4,19409,00.html?latest Student finds AOL bug By Janet Kornblum Staff Writer, CNET NEWS.COM February 24, 1998, 4:35 a.m. PT A 14-year-old high school student from Tampa, Florida has discovered a bug in America Online's (AOL) Instant Messenger (IM) system that could be used to surreptitiously send malicious computer code to Internet users of the IM system. AOL confirmed that there was a problem and is working on a solution, AOL spokeswoman Wendy Goldberg said. Although it is unclear if anyone has actually ever used the program to cause harm, like most bugs, the problem is that they could if they wanted to do so, said Stephen Hemingway, the high school freshman who discovered the bug. "I don't think anyone's used it yet but somebody could stumble across it very easily," he said. Hemingway said he was studying the IM program when he came across some interesting code: It looked strikingly similar to an Internet Explorer buffer overflow bug that he had read about earlier. That's when he realized that sophisticated users on AOL could use the IM client to send bugs or other code, including very small viruses, to unsuspecting Netizens. So Hemingway used the program to send himself some code that would jam his computer. It worked. Bill Mattocks, proprietor of Computer Solutions a small ISP in Kenosha, Wisconsin, also tested out the bug for NEWS.COM.. Mattocks inserted random code into the program where Hemingway had indicated it could be done and sent it to his IM account on the Internet from his AOL account. The program, he said, "immediately generated an internal error and crashed. Windows 95 itself became unstable minutes later and the entire machine crashed, as well." Hemingway also said he was able to make his computer crash. Theoretically, the program could be used to send a small virus--less than 1,000 bytes large, Hemingway said. "I actually tried to infect myself with a virus to see if it was possible but I was unable to find a virus small enough," he said. "I didn't particularly like the idea of giving myself a virus anyway." While it is well known that malicious users on AOL, some of whom refer to themselves as hackers and many of whom are teenagers, like to try to jam up other users also using the system, their exploits have largely been confined to the AOL proprietary system. And while AOL, which has 11 million members, is often the center of criticism, public reports of software bugs, fairly commonplace for other software developers, are actually fairly unusual for the online giant. Most of AOL's software, however, is aimed at its own users on its proprietary system.
Current thread:
- /usr/dt/bin/dtappgather exploit Mastoras (Feb 23)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 24)
- AOL Instant Messanger Bug Aleph One (Feb 24)
- Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files kevingeo () CRUZIO COM (Feb 25)
- Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary William T Wilson (Feb 25)
- Quake 2 Linux 3.13 - ref_root.so still works kevingeo () CRUZIO COM (Feb 25)
- <Possible follow-ups>
- Re: /usr/dt/bin/dtappgather exploit Steven Goldberg - SE - Seattle WA (Feb 25)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 25)