The installation process of AIM on a PC covertly forces Microsoft Internet Explorer (IE) browsers to accept "Welcome to America Online" at free.aol.com as a "Trusted site," according to an article in Security Wire Digest.
Automatically designating the free.aol.com site as a Trusted site allows AOL to install cookies and even run code on a user's PC without their knowledge. A Web site in Internet Explorer's Trusted sites zone contain "sites you believe you can download or run files from without worrying about damage to your computer or data," according to the IE's Help file on Trusted zones. "The default security level for the Trusted sites zone is Low, therefore, Internet Explorer will allow all cookies from Web sites in this zone to be saved on your computer and read by the Web site that created them."
What's more, when a Web site is in the trusted zone, the user is not alerted when a cookie or file is downloaded to a user's PC.
Rich Mogull, a senior analyst at Gartner Group's Gartner G2's growth strategies practice, says AOL's action violated all three elements of trust: intent (the desire to operate within the boundaries of an agreement), capability (the ability to fulfill the intent) and communication (the ability to instill belief in these abilities within the consumer/business partner).
"Businesses that allow the use of AOL Instant Messenger are also forced to trust AOL servers, despite whatever security and privacy settings (those businesses) have in place," Mogull said. "By forcing browsers to trust AOL, it violates the boundaries of the users' understanding of the relationship ... By making these changes without notifying the user, AOL has failed to communicate either intent or capability."
AOL's practice is particularly troubling, Mogull said, since it is vulnerable to an insidious and well-known cyber attack known as "cross-site scripting," which allows an attacker to inject malicious code onto a system by hiding it as legitimate code from free.aol.com.
GartnerG2 (and InstantMessagingPlanet) recommends that companies carefully evaluate their policies on employee use of downloaded software and services. They should also employ security mechanisms to limit the damage that unapproved trust relationships may cause. And a company's IT staff should evaluate terms and conditions for any free or commercial off-the-shelf software used within the enterprise.
Also, AOL's action can be undone directly from the IE browser. To start the process, a user should go to the Tools menu and select "Internet Options." By clicking on the "Security" tab, highlighting "Trusted sites" and then clicking on the "Sites" button, a list of Trusted sites appears. Highlighting the "free.aol.com" site and clicking "Delete" rids the browser and the user's PC of the security problem.
AOL officials were not immediately available for comment on this story.
Security Wire Digest also reported earlier this month that a new IM-based worm is gaining ground by offering "free porn." The worm, which the publication called "low-risk," is spread by both AIM and IRC clients, is called W32.Aphex@mm or W32.Aplore@mm. It spreads in the chat window area by a hyperlink that consists of a single period with an attachment named psecure20x-cgi-install.version6.01.bin.hx.com.
If a user runs the program it drops a Visual Basic (.vbs) script and then uses standard techniques to mass-mail itself to all addresses in the user's Microsoft Outlook address book. The worm also connects to some IRC channels and attempts to infect IRC users. Blocking .com attachments in a user's IM client can help mitigate the risk, and the worm doesn't carry a destructive payload.
Bob Woods is the managing editor of InstantMessagingPlanet.