The glitch's latest incarnation could have been just as dangerous as the previous version, publicized in January, opening the way for malicious AIM users to execute any program on a vulnerable user's computer, said Matt Conover, a hacker with a security research group known as "w00w00."

"This is almost identical to the problem we found originally, and that's saddening," he said. "By using a slightly different method, we are able to get around the filtering they used to protect against the last flaw."

Last time, the error occurred in how the "add game" command handled a request from another user. This time, it occurs when a malicious AIM user sends an overly long "add external application" command to another user. Known as a buffer overflow, the error allows an attacker to execute a program on the victim's computer.

After being notified by w00w00, AOL Time Warner fixed the problem by again applying a filter to its instant messaging servers, said Conover. Because the fix can be done to AOL's own machines, the protection is immediate, he added.

Attempts to confirm the fix Sunday with an AOL Time Warner representative were unsuccessful.

Though Conover said AOL responded quickly to the flaw this time, the group still had to use private contacts formed during the last security incident; AOL Time Warner still does not publish a central security contact for its software.

"There is still no way to publicly contact them, which means that they haven't learned anything from the last incident," he said.

Moreover, while AOL Time Warner's fix prevents the current hole from being used to attack another user or to spread worms or viruses through instant message chats, Conover worries that an online vandal may find another method that could also elude AOL's fix.

"I definitely don't think they did enough to secure the IM client," he said. "They responded quickly to this instance of the flaw, but if they stop there, I think they are being lazy."

Because AOL Time Warner fixed only a specific instance of the flaw rather than the network security problems that lead to the vulnerability, the company could see a third strike against its instant messaging client, he said.

"All the code that requests one user to add something from another user needs to be looked at," he said.

The statement echoes another that the w00w00 security team made in its January 1 advisory for the original flaw. "This may be more generic and exploitable through other means, but AOL has not released enough information about their protocol for us to be able to determine that," the group warned.

Conover said that until AOL takes its security to heart, he believes instant messenger users should think about moving to a new software provider.

"We recommend that people use an IM provider that has a means to deal with security issues, because--right now--AOL doesn't," he said.

Related Quotes

Quotes delayed 20+ minutes

	AOL TIME WARNER INC	AOL	18.36	1.10

Quote Lookup:   Symbol Lookup

Related News
• Shades of gray at security conference May 2, 2002
• Back doors in AIM security tool irk pros January 9, 2002
• AOL plugs AIM security hole January 3, 2002
• Viruses wiggle into IM chats August 14, 2001
• Get this story's "Big Picture"

Reader Resources
• Test your PC for security holes

Also from CNET Networks
• Don’t break the bank with these $200 and under gifts for grads
• Pocket sized multimedia machines ---music, movies and games in 4 powerful PDAs
• Minolta Dimage S404: High end for experts yet easy enough for everyday family use
• Software Advisor: Scans your systems and lets you know how and what needs upgrading
• Gamers: New GameSpot Complete is here. Try it now