W00w00's Suggested AIM Fix Is No Fix

Even security experts can get bamboozled when it comes to application security. Last week security group w00w00 published an advisory warning the 100 million users of America Online Inc.'s Instant Messenger (AIM) of a serious vulnerability that left their systems open to attack. The group suggested users run Robbie Saunders' AIM Filter as a possible temporary fix until AOL plugged the security hole.

Now, w00w00 is saying Saunders' software is a security threat in and of itself.

In an E-mail Tuesday to the security mailing list Bugtraq, w00w00 member Jordan Ritter pointed to the holes in Saunders' software, and said w00w00 became aware of the problem Jan. 5 when the source code to the AIM filter application became public. In his E-mail, Ritter claims Saunders' application "produces cash-paid click-throughs over time intervals and contains backdoor code,'' as well as the ability to divulge system information and launch several Web browsers to porn sites.

Ritter says w00w00 cleaned the AIM Filter code and published a modified version, though users may not find it necessary as AOL fixed the AIM buffer overflow vulnerability last Thursday. The fix means users don't have to install any patches, AOL says.

"We apologize to the security community at large for this mistake. However, we think this is a very apt example of why closed-source programs can be deadly. You never know for sure what lurks under the hood of a binary executable," wrote Ritter. According to Ritter, if users have downloaded Saunders' filter, they only need to delete the application to rid their systems of the threat.

On his Web site, Saunders defended his version of the filter, saying it retrieves the victim's IP address "in case I should feel like reporting you to your ISP," it opens five embarrassing Web sites "in case you mess with my friends,'' and it uses a cash-paid click-through when the filter is opened "because I need the money.''