A flaw in AOL Instant Messenger, as reported on Neowin yesterday, has been resolved, an AOL company spokesman said Thursday.
AOL became aware of the flaw Wednesday morning after a group issued a report to security mailing lists about a feature in the most recent version of AIM, spokesman Andrew Weinstein said. The flaw, which was also found in a test version of AIM, could allow someone to take control of home computers.
The flaw, which would have affected only non-AOL subscribers, has been fixed from the AOL side (which involved modifications to AOL's servers), and AIM users do not have to download anything for the resolution.
News source: Reuters
In a further update, one of w00w00.org's founders, Matt Conover, a student of Computer Science and Maths at the Utah State University, is defending his actions to release information regarding the IM flaw that his group found.
"We never expected it to get this much attention," says Matt. His group informed AOL via email around December 25th, waited a week, and got no responce, so he posted information and "proof of concept code" on the w00w00 web site to demonstrate the vulnerability. "No matter how long we waited we weren't going to hear back from them". added Matt.
But, some security experts have called w00w00's actions irresponsible, releasing information aboput the flaw before the vendor has time to prepare a fix. "AOL makes it extremely difficult to get a hold of anybody for anything to do with security," said Russ Cooper, who runs the NTBugTraq e-mail list.
In the end, AOL acted very quickly. As Andrew Weinstein (AOL spokesperson) said, "The flaw was resolved within 24 hours. We heard no reports from users that anyone was affected by it".
News source: Reuters