AOL fixes major security hole

By D. Ian Hopper

Associated Press

WASHINGTON – As AOL Time Warner engineers opened their presents and spent time with their families, a team of young hackers planned a holiday surprise: a major security hole in one of the company’s flagship programs.

The international group released a program that turns AOL’s Instant Messenger into a key that could unlock many home computers. Now the hackers are being criticized by security experts for not giving AOL sufficient time to react.

The group, founded by a 19-year-old Utah college student, discovered a security hole in AOL’s Instant Messenger program that could have let a hacker take control of a computer. AOL fixed the problem at its central networks today.

“The issue was resolved early this morning and was handled on the server side, so users do not have to download anything or take any other action,” AOL spokesman Andrew Weinstein said. “To our knowledge, no users were affected by this issue prior to its resolution.”

The problem affected the newest as well as many earlier versions of AOL’s Instant Messenger program, which boasts more than 100 million users.

“You could do just about anything: Delete files on the computer or take over the machine,” said Matt Conover, founder of the hackers’ group, “w00w00.”

Conover said w00w00 has more than 30 active members from 14 states and nine foreign countries.

Conover, who attends Utah State University, said the group found the problem several weeks ago but didn’t contact AOL until after Christmas. The group got no response from AOL to an e-mail sent during the holiday week, he said, so w00w00 released details – and a program that takes advantage of it – to public security mailing lists less than a week later.

The program released by w00w00 remotely shut down a user’s Instant Messenger program but could have been modified to do more sinister things.

That practice is under scrutiny by security professionals. While some independent researchers argue for a “full disclosure” policy and say software vendors are trying to hide their mistakes, many companies say users are better protected if companies have time to react.

“I think that’s pretty dangerous,” said Chris Wysopal of the security company AtStake, “especially since they pretty much acknowledged that they hadn’t gotten a response back from AOL yet.”

Russ Cooper, who moderates a popular security mailing list and works for the security firm TruSecure, said Conover’s action was irresponsible because it helped hackers.

“I think it’s better to provide details of the exploit and then let other people write the actual code,” Cooper said. “It lets the technical community have the information they need without letting idiots have the information they want.”

Conover said w00w00 set a New Year’s deadline for sentimental reasons, because it was the anniversary of the group’s last major security release. He defended the disclosure of the attack program because “it means providing all the information we have available to the security community.”

AOL’s Weinstein said the company would have appreciated more warning.

“We’d encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,” Weinstein said.

Copyright ©2002 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Customers enter and exit the Costco on Dec. 2, 2022, in Lake Stevens. (Olivia Vanni / The Herald)
Costco stores could be impacted by looming truck driver strike threat

Truck drivers who deliver groceries and produce to Costco warehouses… Continue reading

Two Washington State ferries pass along the route between Mukilteo and Clinton as scuba divers swim near the shore Sunday, Oct. 22, 2023, in Mukilteo, Washington. (Ryan Berry / The Herald)
Ferry system increases ridership by a half million in 2024

Edmonds-Kingston route remains second-busiest route in the system.

The second floor of the Lynnwood Crisis Center on Friday, Feb. 7, 2025 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Funding gap leaves Lynnwood without a crisis center provider

The idea for the Lynnwood crisis center began in 2021 after a 47-year-old died by suicide while in custody at Lynnwood Municipal Jail.

Three seriously injured after head-on collision on Highway 522

The crash between Monroe and Maltby happened around 4:30 p.m. on Monday.

Fernando Espinoza salts the sidewalk along Fifth Avenue South on Thursday, Feb. 6, 2025 in Edmonds, Washington. (Olivia Vanni / The Herald)
Think this is cold, Snohomish County? Wait until Tuesday

Tuesday could bring dangerous wind chill during the day and an overnight low of 19 degrees

Robin Cain with 50 of her marathon medals hanging on a display board she made with her father on Thursday, Jan. 2, 2025 in Lake Stevens, Washington. (Olivia Vanni / The Herald)
Running a marathon is hard. She ran one in every state.

Robin Cain, of Lake Stevens, is one of only a few thousand people to ever achieve the feat.

People line up to grab food at the Everett Recovery Cafe on Wednesday, Dec. 4, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Coffee, meals and compassion are free at the Everett Recovery Cafe

The free, membership-based day center offers free coffee and meals and more importantly, camaraderie and recovery support.

Devani Padron, left, Daisy Ramos perform during dance class at Mari's Place Monday afternoon in Everett on July 13, 2016. (Kevin Clark / The Herald)
Mari’s Place helps children build confidence and design a better future

The Everett-based nonprofit offers free and low-cost classes in art, music, theater and dance for children ages 5 to 14.

The Everett Wastewater Treatment Plant along the Snohomish River on Thursday, June 16, 2022 in Everett, Washington. (Olivia Vanni / The Herald)
Everett water, sewer rates could jump 43% by 2028

The rate hikes would pay for improvements to the city’s sewer infrastructure.

The bond funded new track and field at Northshore Middle School on Thursday, Oct. 24, 2024 in Bothell, Washington. (Courtesy of Northshore School District)
Northshore School District bond improvements underway

The $425 million bond is funding new track and field complexes, playgrounds and phase one of two school replacements.

The Washington State Department of Licensing office is seen in 2018 in Seattle. (Sue Misao / The Herald)
Drivers licensing offices to close Feb. 14-17

Online services are also not available Feb. 10-17. The Washington State Department of Licensing said the move is necessary to upgrade software.

Pharmacist Nisha Mathew prepares a Pfizer COVID booster shot for a patient at Bartell Drugs on Broadway on Saturday, Oct. 1, 2022, in Everett, Washington. (Ryan Berry / The Herald)
Everett lawmakers back universal health care bill, introduced in Olympia

Proponents say providing health care for all is a “fundamental human right.” Opponents worry about the cost of implementing it.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.