Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: Administrivia & AOL IM Advisory
From: Elias Levy (aleph1SECURITYFOCUS.COM)
Date: Tue Dec 12 2000 - 19:22:14 CST
- Next message: Elias Levy: "Administrivia: Vacation"
- Previous message: Darren Reed: "Re: Killing ircds via DNS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At least another author of security bulletins decided to go a similar
route as Microsoft did with their email security notices. Last week
Stake, the company that acquired the L0pht, posted to the list
a security notice that consisted of a title, affected products,
a link to their web advisory and little more. At the time I refused
to approve the message.
In what they view as a compromise they decided to change their email
notices to include more information. Bellow you can find the message
Stake sent regarding vulnerabilities in AOL's Instant Messenger.
That difference between it and the version on their web site is that
the email version lacks the Detailed Description and Solutions section
of the advisory. Please review the attached advisory and the web
After some discussion I still don't understand the reasoning behind
the change. I am told it is because they wish to maintain control
over the information they publish.
From my point of view such change does not benefit the BUGTRAQ
subscribers. I understand some folks may wish to receive a
short summary of the vulnerability with a link were to find
more information, but historically in BUGTRAQ we like people to
publish as much information and as detailed information as possible.
BUGTRAQ is more than just an announcement mailing list, its a
discussion list (even if some of that has been cut down in recent
years). Putting aside the arguments that some people may be able
to get email but not access the web and the fact that its a nuisance
to have to open your browser instead of reading the information in the
the message you have in front of you, this change breaks the continuity
of discussion in the list.
Such change means that after you read the web version of the advisory
to obtain the technical details if you want to comment on it you
must now copy and paste the relevant part of the advisory into a
new message instead of simply hitting the 'reply' key.
Imagine if all advisory publishers decided to make this change.
I fear such change would create friction that would diminish
valuable discussion on the list and erode the BUGTRAQ community.
The folks at Stake and L0pht have done a lot of the security
community. Maybe my fears are unfounded and I am making of this
more than it really is.
With this in mind I'd like to ask you, the list subscribers, for
your opinion. Is the new format proposed by Stake, which includes
a summary and vendor response section and a link to their web site
for further information but not a detailed explanation and
solutions section, sufficient and I should approve such messages?
Please reply to me and not to the mailing list. Please respond whether
you feel one way or the other.
-----BEGIN PGP SIGNED MESSAGE-----
Security Advisory Notification
Advisory Name: Multiple Vulnerabilities in AOL Instant Messenger
Release Date: 12/12/2000
Application: AOL Instant Messenger versions prior to
Platform: Windows 2K (9x, NT likely, Others unknown)
Severity: There are several buffer overflows that can
result in execution of arbitrary code.
Authors: Dildog [dildogatstake.com]
Dave Aitel [daitelatstake.com]
Patrick Upatham [pupathamatstake.com]
Vendor Status: vendor has fixed version available
AOL Instant Messenger (AIM) is a popular messaging client for Windows,
with over 64 million users according to
'http://www.aol.com/aim/home.html'. AIM ships by default with current
versions of the Netscape Communicator web browser, as well as a standalone
There exist application weaknesses that allow these machine with AIM
installed to be remotely taken over by external attackers. It is important
to note that you do not need to be running AIM but merely have it installed
to be vulnerable. We include URLs in our detailed description that you
can use to check if you are vulnerable.
Scenarios such as receiving malicious HTML e-mail or visiting a malicious
web site have been shown in our labs to enable the execution of arbitrary
code on a vulnerable target machine.
This potentially places environments using the AOL Instant Messenger at
grave risk. As these vulnerabilities are a result of client-initiated
communications, most corporate firewall configurations do not guard these
environments from attack.
Should a vendor patch not be available or not function to the needs of
your particular environment, we offer several alternative measures in this
advisory to help mitigate portions of this risk.
We initially contacted AOL on 11/22/2000 regarding this issue. They have a
fixed version, 4.3.2229, dated 12/6/2000 available now. We appreciate
their timely response. Here is their reply:
Thank you for your report concerning AOL Instant Messenger. We were
aware of the situation you described and are already QA'ing a refresh
client that resolves the issue. The refresh version of the AOL Instant
Messenger is expected to be posted within the week and will be available
for download at
We appreciate your efforts to inform us of your findings.
** The advisory contains additional information not included in this
** advisory notification. The advisory contains the detailed description
** and solutions to the vulerability.
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.
Copyright 2000 stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
-----END PGP SIGNATURE-----
-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum