Intruders Could Take AIM at AOL
A security firm has notified AOL that a potentially
critical security hole
exists in its instant messaging software, commonly
referred to as AIM, that would permit an intruder to gain complete control over
a user's system.
Officials from Core Security Technologies said it contacted AOL about the
flaw late last month. While company executives at AOL say the hole has been
closed, Core Security officials counter that the fix doesn't go far enough.
However, one Core Security official said it remains unclear whether anyone has
successfully exploited the hole.
The flaw resides in the most recent beta releases of AIM 6.1 and 6.2. Core
Security has also found the hole in the AIM Pro, intended mainly for business
users, and in AIM Lite. The company said the problem doesn't exist in version
5.9 of AIM nor in AIM 6.5, a product also currently in beta testing.
The security hole arose, according to Core Security, because of the way the
affected versions allow instant messaging users to augment their conversations
with a number of fonts and pictographic "emoticons." The flawed versions
of AIM do this by using Microsoft Corp.'s Internet Explorer program to render
images, they explained.
Core Security contends that the real problem involves AIM enabling full access
to all of Internet Explorer's functions, including the ability to carry out
programming commands and direct them at Web sites. By embedding specific commands
in an IM session, hackers can direct a user's system to do things such as visit
malicious Web sites where even more bad code could be installed.
AOL officials responded by saying the issue has been resolved and that users
should feel "completely safe."
Stealth Updates Continue To Plague Microsoft
Microsoft continues to get itself into trouble with "stealth"
or silent updates. This time, the issue is over a silent update the company
broadly distributed in July and August that's apparently restraining Windows
XP's repair feature from fully carrying out its task.
According to today's
Windows Secrets Newsletter, since the silent download of new support files
for Windows Update, the Windows XP repair function is unable to install the
last 80 patches from Microsoft.
Apparently, the trouble surfaces when users reinstall Windows XP's system files
using the repair capability contained on the XP CD. At this point, the repair
option, which is mostly used when XP becomes unbootable, rolls "many aspects"
of XP back to a pristine state. In the process, it blows away many updates and
patches and kicks Internet Explorer back to the version that originally shipped
with the OS.
Typically, users who repair XP can simply download and install the latest updates,
using either Automatic Updates control panel or going to Microsoft's Windows
Update site. But once you run the repair option from the CD, Automatic Updates
defaults to "on" and the new 7.0.600.381 executables are automatically
downloaded and installed. According to the report, these new executables will
not register themselves with the OS, thereby preventing Windows Update from
working. This then prevents the 80 updates from being installed.
While everyday users rarely attempt a repair install, the flaw figures to be
a constant irritant to a lot of admins who frequently have to repair Windows.
However, the report states that if Windows Update refuses to install patches,
admins can register the missing DLLs by manually entering the necessary commands
at the command prompt.
Microsoft Bulks Up Infrastructure Optimization Plan
Microsoft has put some muscle behind its Infrastructure Optimization initiative,
announcing a new program designed to promote the advantages of a number of core
technologies. The new Business
Productivity Infrastructure Optimization (BPIO), which is associated with
Redmond's People Ready program, is designed to help better position the company's
unified communications, content management and business intelligence products
as a foundation on which the next generation of network infrastructure can be
The program, aimed largely at Microsoft's network of business partners, includes
an assessment tool called the Business Productivity Infrastructure Analyzer.
This tool allows partners to collect important information about a particular
company's infrastructure, including what sorts of servers it has for identity
management or whether it has any sort of automated process for patching server
and desktop software.
Microsoft is scheduled in October to conduct a training event in Chicago that
will provide more details on how the program can benefit business partners.
Microsoft officials said they're hoping to establish a better understanding
with how its business partners operate in the context of BPIO by giving them
the opportunity to be trained side by side.
Have any thoughts on this issue? Take a minute to share them with us by responding
to Doug's Your Turn request here
or e-mailing him at firstname.lastname@example.org.
Ed Scannell is the editor of Redmond magazine.