By Hiawatha Bray, Globe Staff, 5/8/2003
Core Security Technologies of Boston has published detailed information about serious bugs in AOL Time Warner Inc.'s ICQ instant-messaging software that could enable computer vandals to seize control of computers running ICQ, which is used by up to 150 million people worldwide.
Core said its decision to publish the information on its website Monday came after it had tried for over a month to inform AOL of the problem but received no response.
AOL spokesman Derick Mains yesterday said he was unaware of any efforts by Core to alert the company. "I don't know if the right people were ever contacted, but it's something we're looking into," he said.
Mains confirmed there are problems with ICQ but said there were no reports of any attempts to exploit the bugs. "The flaw is located in a feature of the ICQ client that's used by less than 1 percent of our users," Mains said. He said that engineers were working on a fix that should be ready by the end of the week.
For years, computer security experts have debated whether to publicize information that could help software users protect themselves, but could also make it easier for system crackers to do damage. "In general, I would shy away from giving a lot of technical details," said Cambridge-based computer security consultant Richard Smith. "The less you can help out the bad guys, the better."
But others say that publicizing such bugs may be the only way to get them fixed or to alert people to stop using software that can't be trusted. "If the good guys don't go after [security] holes, the bad guys will," said Ejovi Nuwere, a Core security engineer.
Nuwere said Core's security team discovered the vulnerabilities during its "Bug Week" in early March. "Bug Week is an exercise our engineers perform periodically, where we devote resources company-wide to evaluating products we use for possible security bugs," he said.
Among those tested was ICQ, one of the first instant-messaging products. Developed in Israel, ICQ has relatively few users in the United States, where the instant-messaging market is dominated by another AOL product, AOL Instant Messenger. But ICQ is used widely in the rest of the world.
Core found a number of weaknesses in ICQ features that let users send e-mail messages and install new features for the software. An attacker could exploit bugs in these features in a way that would let the attacker issue commands to a remote computer running ICQ -- in effect, giving the attacker control of the machine.
Core says it immediately sent messages to several e-mail addresses at AOL's ICQ unit. Despite sending such messages three times in March and April, company officials say they never received a response. "We have a standard policy, which is we try to give the vendor at least 30 days notice," said Nuwere. "In this case we didn't receive any response from the vendor."
Indeed, Core spokesman Michael Yaffe said that as of yesterday, Core still hadn't heard from ICQ.
So Core published a security advisory that describes in some detail the problems it uncovered. Unlike some other security firms, Core didn't publish "exploit code," examples of software that could be used to take advantage of the bugs. But it it did explain the problems in sufficient detail to provide assistance to a would-be attacker. "If someone had the desire to do that, they might be able to use some of the information up there," said Yaffe.
Hiawatha Bray can be reached at bray@globe.com.
Source: Boston.com
http://www.boston.com/business/tech_innovation/new
