Intruders Could Take AIM at AOL

• By Ed Scannell
• 09/27/2007

Officials from Core Security Technologies said it contacted AOL about the flaw late last month. While company executives at AOL say the hole has been closed, Core Security officials counter that the fix doesn't go far enough. However, one Core Security official said it remains unclear whether anyone has successfully exploited the hole.

The flaw resides in the most recent beta releases of AIM 6.1 and 6.2. Core Security has also found the hole in the AIM Pro, intended mainly for business users, and in AIM Lite. The company said the problem doesn't exist in version 5.9 of AIM nor in AIM 6.5, a product also currently in beta testing.

The security hole arose, according to Core Security, because of the way the affected versions allow instant messaging users to augment their conversations with a number of fonts and pictographic "emoticons." The flawed versions of AIM do this by using Microsoft Corp.'s Internet Explorer program to render images, they explained.

Core Security contends that the real problem involves AIM enabling full access to all of Internet Explorer's functions, including the ability to carry out programming commands and direct them at Web sites. By embedding specific commands in an IM session, hackers can direct a user's system to do things such as visit malicious Web sites where even more bad code could be installed.

AOL officials responded by saying the issue has been resolved and that users should feel "completely safe."

Stealth Updates Continue To Plague Microsoft
Microsoft continues to get itself into trouble with "stealth" or silent updates. This time, the issue is over a silent update the company broadly distributed in July and August that's apparently restraining Windows XP's repair feature from fully carrying out its task.

According to today's Windows Secrets Newsletter, since the silent download of new support files for Windows Update, the Windows XP repair function is unable to install the last 80 patches from Microsoft.

Apparently, the trouble surfaces when users reinstall Windows XP's system files using the repair capability contained on the XP CD. At this point, the repair option, which is mostly used when XP becomes unbootable, rolls "many aspects" of XP back to a pristine state. In the process, it blows away many updates and patches and kicks Internet Explorer back to the version that originally shipped with the OS.

Typically, users who repair XP can simply download and install the latest updates, using either Automatic Updates control panel or going to Microsoft's Windows Update site. But once you run the repair option from the CD, Automatic Updates defaults to "on" and the new 7.0.600.381 executables are automatically downloaded and installed. According to the report, these new executables will not register themselves with the OS, thereby preventing Windows Update from working. This then prevents the 80 updates from being installed.

While everyday users rarely attempt a repair install, the flaw figures to be a constant irritant to a lot of admins who frequently have to repair Windows. However, the report states that if Windows Update refuses to install patches, admins can register the missing DLLs by manually entering the necessary commands at the command prompt.

Microsoft Bulks Up Infrastructure Optimization Plan
Microsoft has put some muscle behind its Infrastructure Optimization initiative, announcing a new program designed to promote the advantages of a number of core technologies. The new Business Productivity Infrastructure Optimization (BPIO), which is associated with Redmond's People Ready program, is designed to help better position the company's unified communications, content management and business intelligence products as a foundation on which the next generation of network infrastructure can be built.

The program, aimed largely at Microsoft's network of business partners, includes an assessment tool called the Business Productivity Infrastructure Analyzer. This tool allows partners to collect important information about a particular company's infrastructure, including what sorts of servers it has for identity management or whether it has any sort of automated process for patching server and desktop software.

Microsoft is scheduled in October to conduct a training event in Chicago that will provide more details on how the program can benefit business partners. Microsoft officials said they're hoping to establish a better understanding with how its business partners operate in the context of BPIO by giving them the opportunity to be trained side by side.

Have any thoughts on this issue? Take a minute to share them with us by responding to Doug's Your Turn request here or e-mailing him at [email protected].