RE: AIM Backdoor?

From: Christian Piper (Christian@designdesires.co.uk)
Date: 04/09/02


From: "Christian Piper" <Christian@designdesires.co.uk>
To: <incidents@securityfocus.com>
Date: Tue, 9 Apr 2002 22:19:14 +0100

Just to confirm I replyed to Mike about this here is what I sent him.

-------------------------------------------------------------------
Sorry my mistake, I should have posted some relvant links, I also think its
a high security risk.

http://www.informationweek.com/story/IWK20010927S0021

Heres a snippit from the site mentioned ...

"
AOL/Netscape Undermines Your Browser Security Settings
AOL/Netscape's abuse of browser security settings first came to my attention
when reader Michael G. Baker, Jr. sent this alarming E-mail:

  "When a user downloads or updates AIM, free.aol.com is added to the users'
IE Trusted Sites Zone. This also happens if you download Netscape6.x with
integrated AIM. It is one thing for them to put that free.aol.com link
everywhere when you download N6, even in IE's bookmarks, but quite another
thing to mess with security settings. Although mostly harmless, it is the
principle. I don't think this is right. If this was Microsoft messing with a
Netscape security setting, all hell would break loose."
It's true. Without so much as a by-your-leave, AOL software inserts
"free.aol.com" into your IE browser's "Trusted Zone." Talk about an
aggressive installation routine!

The IE Trusted Zone's security permissions are intentionally relaxed.
Scripts and ActiveX components can run (some with no prompting); downloads
are enabled; Java safety is low; cross-domain data-sourcing is allowed;
there's no alert when a site's security certificate is missing or revoked;
and so on. Normally, that's OK, because the only sites in the Trusted Zone
are those you put there yourself, after you decide that a site is entirely
above-board. (Even so, many security-conscious users put no sites in the
Trusted Zone, leaving nothing to chance or goodwill, and instead enforcing
at least the "Internet Zone" restrictions on all Web sites.)

By automatically placing its own site in the Trusted Zone, AOL creates a
double security threat. If you (or your users) download and install Netscape

6.x, AIM, or any product with integrated AIM, not only do you have to cope
with the inherent problems of an IM client itself, but you'll also have AOL
set up as trusted site. That can bypass the browser security settings you've
established for normal Internet connections.

To me, this is clearly a very wrong thing to do. No site, from any vendor,
should set itself up to bypass your normal browser security settings.
(Microsoft's browser should not allow such changes to be made covertly--but
IE's problems are a whole other issue.) Free.aol.com may be relatively
harmless, but there's nothing to prevent a malicious site from trying to set
itself up as either a trusted site on its own, or as a spoofed, malicious
version of free.aol.com."

Hope this helps.
Christian Piper

-------------------------------------------------------------

Thank You
Christian Piper

----- Original Message -----
From: "Ralph Los" <RLos@enteredge.com>
To: <miked@rootdown.net>; <incidents@securityfocus.com>
Sent: Tuesday, April 09, 2002 5:33 PM
Subject: RE: AIM Backdoor?

> Yessir, I just double-checked my newly installed WinXP Pro machine, and
low
> and behold - there's free.aol.com. I quickly removed it, duh, thanks for
> the heads-up! I wonder how many of us will do this in the next 10 mintes?
>
> Happy Tuesday all,
>
> ----------------------------------------|
> Ralph M. Los
> Sr. Security Engineer and Trainer
> EnterEdge Technology, L.L.C.
> rlos@enteredge.com
> (770) 955-9899 x.206
> ----------------------------------------|
>
> ::-----Original Message-----
> ::From: miked@rootdown.net [mailto:miked@rootdown.net]
> ::Sent: Monday, April 08, 2002 10:19 PM
> ::To: incidents@securityfocus.com
> ::Subject: AIM Backdoor?
> ::
> ::
> ::
> ::Repost attempt, dunno why it didnt go through the first time.
> ::
> ::
> ::
> ::I have had AIM installed here at work for a while. While
> ::trying to repair the security zone settings on a users PC by
> ::comparing them to my own, I noticed that free.aol.com had
> ::been added to Internet Explorers "Trusted Sites" zone.
> ::
> ::If a simple minded user clicks one of the many "Free AOL and
> ::Unlimited Internet" icons on their system, or one of the
> ::5,800 links to this domain that google turns up, AOL can run
> ::the code of their choice without prompting.
> ::
> ::Anyone care to verify my findings or find a CSS vulnerability
> ::on free.aol.com? Does an employee of AOL care to comment?
> ::
> :: -Mike
> ::
> ::
> ::--------------------------------------------------------------
> ::--------------
> ::This list is provided by the SecurityFocus ARIS analyzer
> ::service. For more information on this free incident handling,
> ::management
> ::and tracking system please see: http://aris.securityfocus.com
> ::
> ::
>
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com