May 13, 2002 4:00 AM PDT
Security trips up instant messaging
Open IM cries fade
The three majors are
doing fine on their own.
It's the bugs that AOL and its rivals don't know about that worry Conover.
"There are people out there that know about holes, and they aren't telling," Conover, who hunts bugs with security group w00w00 and works for network-protection company Entercept Security Technologies, said at the recent CanSecWest conference in Vancouver, British Columbia.
As instant messaging has rapidly become a fixture in desktop computing, security mavens have focused more closely on the security problems posed by the relatively young application. So far, it's not a pretty picture. In the past week, security experts have found flaws in AOL Time Warner's Instant Messenger and in a component installed by the Microsoft Network's Messenger application.
"It's just more bad application security," said Marc Maiffret, chief hacking officer for network consultancy eEye Digital Security, the company that found last week's MSN Messenger flaw. "The flaws that have been out there--they're still suffering from buffer overflows and stuff."
Yet by directing users to accept scripts from the entire Internet, rather than just from the servers that need to send scripts to make the "rich" features of instant messaging work, Yahoo puts users in additional peril.
"Such settings aren't the best security practices," said Vincent Weafer, director of security response for antivirus software company Symantec. "Now my browser is in open mode, and I'm in danger of being infected from a malicious Web site."
Reiterating Yahoo's focus on security, Osako said the company's security team would take another look at the issue.
Jeremie Miller, creator of the Jabber instant messaging system, blames the lack of a remedy on the cutthroat competition between the IM service providers and their desire to keep their competitors out rather than focusing on adding security to their IM protocols.
"These systems aren't hard to secure at all," Miller said. "However, security doesn't seem to be their goal; they're just trying to create a service."
The open-source Jabber has slowly grown to become a messaging protocol used by several large companies, such as Walt Disney, as well as by the open-source community. However, like other independent instant messaging services, Jabber frequently finds itself blocked from sending messages to the users of other systems.
Miller also said that the closed systems created by Yahoo, Microsoft and AOL tend to lead to less attention to development, and thus to more bugs. Jabber, on the other hand, being open source, has had a lot of criticism.
"When you are dealing with internally developed protocols and systems, you are dealing with obscure dark corners," Miller said. "In the process of developing any open protocol, any open standard, there is a lot more scrutiny."