AOL fixes major security hole

By D. Ian Hopper

Associated Press

WASHINGTON – As AOL Time Warner engineers opened their presents and spent time with their families, a team of young hackers planned a holiday surprise: a major security hole in one of the company’s flagship programs.

The international group released a program that turns AOL’s Instant Messenger into a key that could unlock many home computers. Now the hackers are being criticized by security experts for not giving AOL sufficient time to react.

The group, founded by a 19-year-old Utah college student, discovered a security hole in AOL’s Instant Messenger program that could have let a hacker take control of a computer. AOL fixed the problem at its central networks today.

“The issue was resolved early this morning and was handled on the server side, so users do not have to download anything or take any other action,” AOL spokesman Andrew Weinstein said. “To our knowledge, no users were affected by this issue prior to its resolution.”

The problem affected the newest as well as many earlier versions of AOL’s Instant Messenger program, which boasts more than 100 million users.

“You could do just about anything: Delete files on the computer or take over the machine,” said Matt Conover, founder of the hackers’ group, “w00w00.”

Conover said w00w00 has more than 30 active members from 14 states and nine foreign countries.

Conover, who attends Utah State University, said the group found the problem several weeks ago but didn’t contact AOL until after Christmas. The group got no response from AOL to an e-mail sent during the holiday week, he said, so w00w00 released details – and a program that takes advantage of it – to public security mailing lists less than a week later.

The program released by w00w00 remotely shut down a user’s Instant Messenger program but could have been modified to do more sinister things.

That practice is under scrutiny by security professionals. While some independent researchers argue for a “full disclosure” policy and say software vendors are trying to hide their mistakes, many companies say users are better protected if companies have time to react.

“I think that’s pretty dangerous,” said Chris Wysopal of the security company AtStake, “especially since they pretty much acknowledged that they hadn’t gotten a response back from AOL yet.”

Russ Cooper, who moderates a popular security mailing list and works for the security firm TruSecure, said Conover’s action was irresponsible because it helped hackers.

“I think it’s better to provide details of the exploit and then let other people write the actual code,” Cooper said. “It lets the technical community have the information they need without letting idiots have the information they want.”

Conover said w00w00 set a New Year’s deadline for sentimental reasons, because it was the anniversary of the group’s last major security release. He defended the disclosure of the attack program because “it means providing all the information we have available to the security community.”

AOL’s Weinstein said the company would have appreciated more warning.

“We’d encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,” Weinstein said.

Copyright ©2002 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Marysville
1 pedestrian dead after car crash on I-5 south of Marysville

Around 5 p.m., a car crashed into a pedestrian along I-5. Investigators believed a man had parked on the shoulder to refuel.

FILE - A person walks near the Legislative Building, Wednesday, April 21, 2021, at the Capitol in Olympia, Wash. Washington's redistricting commission failed to meet its deadline and on Tuesday, Nov. 16, kicked the job of creating new political maps to the state Supreme Court. The bipartisan commission had a deadline of 11:59 p.m. Monday to approve new boundaries for congressional and legislative districts following the 2020 census. (AP Photo/Ted S. Warren, File)
Do Snohomish County lawmakers want a 2020 presidential rematch?

The Herald contacted seven Republican legislators representing parts of Snohomish County about their primary choice. Five did not respond.

A man walks by Pfizer headquarters, Friday, Feb. 5, 2021, in New York. Pfizer will spend about $43 billion to buy Seagen and broaden its reach into cancer treatments, the pharmaceutical giant said. (AP Photo / Mark Lennihan, File)
Pfizer backs out of Everett manufacturing plant after $43B Seagen deal

Pfizer finalized the acquisition of the Bothell-based cancer drug developer in December.

Photo provided by 
Economic Alliance
Economic Alliance presented one of the Washington Rising Stem Awards to Katie Larios, a senior at Mountlake Terrace High School.
Mountlake Terrace High School senior wins state STEM award

Katie Larios was honored at an Economic Alliance gathering: “A champion for other young women of color in STEM.”

A view of one of the potential locations of the new Aquasox stadium on Monday, Feb. 26, 2024 in Everett, Washington. The site sits between Hewitt Avenue, Broadway, Pacific Avenue and the railroad. (Olivia Vanni / The Herald)
20 businesses could be demolished for downtown Everett stadium

Some business owners say the city didn’t tell them of plans for a new AquaSox stadium that could displace their businesses.

Kathy Purviance-Snow poses for a photo in her computer lab at Snohomish High School on Tuesday, Feb. 27, 2024, in Snohomish, WA. (Annie Barker / The Herald)
To ban or embrace ChatGPT? Local teachers fight AI with AI — or don’t

“It has fundamentally changed my teaching in really stressful and exciting ways,” an EvCC teacher said. At all levels of education, ChatGPT poses a tricky question.

In this Feb. 5, 2018, file photo a Boeing 737 MAX 7 is displayed during a debut for employees and media of the new jet in Renton, Wash. (AP Photo/Elaine Thompson, File)
FAA gives Boeing 90 days to develop plan to fix quality, safety issues

The agency’s ultimatum comes a day after a meeting with CEO Dave Calhoun and other top Boeing officials in Washington, D.C.

Flowers for slain trooper Chris Gadd begin to collect outside Washington State Patrol District 7 Headquarters on Saturday, March 2, 2024, in Marysville, Washington. (Ryan Berry / The Herald)
Police: Lynnwood man consumed marijuana, beer before crash into trooper

Trooper Chris Gadd, 27, was stopped along I-5 when he was hit and killed early Saturday. Troopers suspect Raul Benitez Santana was impaired.

Madi Humphries, 9, Rose Austin, 13, and Eirene Ritting, 8, on Thursday, Jan. 25, 2024 in Bothell, Washington. (Olivia Vanni / The Herald)
No grades, no teachers: Inside a Bothell school run by student vote

Each day at The Clearwater School, 60 students choose their own lessons. It’s one vote per person, whether you’re staff or student.

SonShine Preschool inside First Baptist Church Monroe is pictured Friday, March 1, 2024, in Monroe, Washington. (Ryan Berry / The Herald)
SonShine preschool in Monroe to close at the end of the year

The preschool, operated by First Baptist Church, served kids for 25 years. School leadership did not explain the reason behind the closure.

Two troopers place a photo of slain Washington State Patrol trooper Chris Gadd outside WSP District 7 Headquarters about twelve hours after Gadd was struck and killed in a collision on southbound I-5 about a mile from the headquarters on Saturday, March 2, 2024, in Marysville, Washington. (Ryan Berry / The Herald)
State trooper killed, 1 arrested in crash on I-5 near Marysville

Authorities said Trooper Chris Gadd had been stopped along the freeway around 3 a.m. near 136th Street NE. A Lynnwood driver, 32, was arrested.

Providence Hospital in Everett at sunset Monday night on December 11, 2017. Officials Providence St. Joseph Health Ascension Health reportedly are discussing a merger that would create a chain of hospitals, including Providence Regional Medical Center Everett, plus clinics and medical care centers in 26 states spanning both coasts. (Kevin Clark / The Daily Herald)
Following lawsuit, Providence commits to improved care for Deaf patients

Three patients from Snohomish County sued Providence in 2022 for alleged Americans with Disabilities Act violations.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.