In January 2002, a hole was discovered in the AOL Instant Messaging client. After many attempts to contact AOL about the hole, w00w00 (the group who discovered the hole) eventually managed to contact the relevant people within AOL and the hole was fixed by AOL placing filters on it"s Instant Messaging servers.
Now another researcher, John Hennessey, on finding a variation of the original vunerability discovered in January, tried use the normal AOL channels to report the security hole, but came up empty. So he turned to w00w00, who using their contacts gained on their first encounter with AOL to pass on this new variation, which is now being filtered on AOL"s Instant Messaging servers.
In an advisory posted today, w00w00 say that they are sad that this new researcher had to resort to contacting w00w00. They say that they are indeed disappointed and once again call on vendors to make it easier to report vunerabilities and holes discoverd in their software, if they are to protect their customers from malicious users.
Matt Conover, a member of w00w00 and a student at Utah State University in Logan, Utah, says that while AOL Time Warner"s fix prevents the current hole from being used to attack another user or to spread worms or viruses through instant message chats, he worries that an online vandal may find another method that could also elude AOL"s fix.
w00w00 advise users with this simple message :- At least for now - switch to an Instant Messaging provider that has well-defined venues for reporting vulnerabilities.