BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific Arabic Spanish Russian Chinese Welsh

 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

Commonwealth Games 2002

BBC Sport

BBC Weather

Thursday, 3 January, 2002, 09:44 GMT
Hole in AOL's messaging program
AIM logo
Program has millions of registered users
The internet giant America Online has promised a quick fix to a security hole in its popular instant messaging program that could allow hackers to take control of a victim's computer.

AOL Instant Messenger has over 100 million registered users, but only the Windows version of the software is at risk.

"We have identified the issue and have developed a resolution that should be deployed in the next day or two," said AOL's Andrew Weinstein.

The vulnerability was discovered by the security research team, w00w00, a group founded by a 19-year-old American student.

'Huge implications'

The flaw, called a "buffer overflow" problem, is similar to vulnerability recently found in Microsoft's Windows XP.

You could do just about anything - delete files on the computer or take over the machine

Matt Conover, w00w00 founder
The hole lies in a feature that allows people to invite other Instant Messenger users in their buddy list to play online games such as Quake.

In a statement, w00w00 said "the implications of this vulnerability are huge and leave the door wide open for a worm", a computer virus that can spread by itself, without human intervention.

"You could do just about anything - delete files on the computer or take over the machine," said Matt Conover, founder of w00w00.

He has advised people using Instant Messenger to restrict incoming messages to friends on their buddy lists until the security hole is fixed.

AOL warned

The group said it first discovered the flaw several weeks ago but did not get in touch with AOL until after Christmas.

It said it did not get a reply from AOL to an e-mail sent during the holiday week, so w00w00 decided to release details of the problem to public security mailing lists less than a week later.

AOL said it would have appreciated more warning.

"We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it," said Mr Weinstein.

TruSecure's Russ Cooper
"The problems come from software that has not been properly written in the first place"
See also:

09 Sep 01 | Sci/Tech
Messaging in an instant
22 Oct 01 | New Media
Yahoo enhances instant messages
17 Oct 01 | Business
Subscriptions prop up AOL results
12 Jan 01 | Business
Giant of the world
05 Dec 01 | Business
AOL's Levin to step down early
21 Dec 01 | Sci/Tech
Fix your Windows, says Microsoft
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories