This vulnerability was created by bad people sending malicious "Game Requests" through AOL's server. To fix it, AOL added a filter to the server so that bad Game Requests won't be passed along to a client.
AOL took the easy way out. They didn't fix the client, they fixed the problem on the server side. The vulnerability still exists in the client, it's just VERY hard to exploit it. The client will probably have this fix built into it sometime in the future. Hope this makes sense. Ryan McGarry University of South Dakota -----Original Message----- From: Dan Trainor [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 3:34 PM To: [EMAIL PROTECTED] Subject: RE: another little IM problem... Does this alarm anyone else? How will AOL fix this problem without making users download any patches / fixes? Are they going to install it themselves? If so, if they can fix this problem by installing a fix on to your machine, what's stopping a malicious user from installing something else on your machine? If I am misunderstanding how this latest vulnerability works, I do apologize for this "junk" mail. :) -dt -----Original Message----- From: Meritt James [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 03, 2002 7:43 AM To: [EMAIL PROTECTED] Subject: another little IM problem... "WASHINGTON, Jan. 2 - A security hole in AOL Time Warner's Instant Messenger program used by millions of people worldwide can let a hacker take full control of a victim's computer, according to security researchers and the company. An AOL spokesman said the problem will be fixed soon, and users won't have to download anything." Full article at http://www.msnbc.com/news/680950.asp A bit more techie at http://www.w00w00.org/advisories/aim.html -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566