Through one of its programs such as WinAMP, AOL Instant Messenger, or Netscape Navigator, AOL has been putting a back door in Internet Explorer.

Without notifying users, AOL adds http://free.aol.com to the browser's trusted sites zone, enabling executable code from that domain to be run without permission.

I confirmed this on my own system -- free.aol.com was in my trusted sites zone even though I've never used that feature of the browser.

Comments

This has been a "known issue", at least as regards Netscape, for a while now. It's frustrated me as an advocate for Mozilla and Gecko that I have to add this caveat when I recommend Netscape 7. If it's been discontinued, good for AOL/TW (or whatever they're calling themselves these days); if not, they need to get on the ball.

I went back in the "Privacy Digest" archives and found some more info from November 03, 2001.


InformationWeek > Fred Langa > Oct. 1, 2001 - Langa Letter: More Instant-Messaging Security Holes.
Fred Langa warns that hyper-aggressive IM installations may end-run your online safeguards.


[ ... ]

"AOL"/"Netscape"'s abuse of browser security settings first came to my attention when reader Michael G. Baker, Jr. sent this alarming E-mail:

"When a user downloads or updates AIM, free.aol.com is added to the users' "IE" Trusted Sites Zone. This also happens if you download Netscape6.x with integrated AIM. It is one thing for them to put that free.aol.com link everywhere when you download N6, even in IE's bookmarks, but quite another thing to mess with security settings. Although mostly harmless, it is the principle. I don't think this is right. If this was "Microsoft" messing with a Netscape security setting, all hell would break loose."


It's true. Without so much as a by-your-leave, AOL software inserts "free.aol.com" into your IE browser's "Trusted Zone." Talk about an aggressive installation routine!

The IE Trusted Zone's security permissions are intentionally relaxed. Scripts and ActiveX components can run (some with no prompting); downloads are enabled; Java safety is low; cross-domain data-sourcing is allowed; there's no alert when a site's security certificate is missing or revoked; and so on. Normally, that's OK, because the only sites in the Trusted Zone are those you put there yourself, after you decide that a site is entirely above-board. (Even so, many security-conscious users put no sites in the Trusted Zone, leaving nothing to chance or goodwill, and instead enforcing at least the "Internet Zone" restrictions on all Web sites.)

By automatically placing its own site in the Trusted Zone, AOL creates a double security threat. If you (or your users) download and install Netscape 6.x, AIM, or any product with integrated AIM, not only do you have to cope with the inherent problems of an IM client itself, but you'll also have AOL set up as trusted site. That can bypass the browser security settings you've established for normal Internet connections.

They keep playing little tricks like this and they wonder why we don't trust them. Just one more reason not to try AOL's alternative to "Passport"/"Hailstorm".

I just checked my own trusted sites and I am not seeing free.aol.com. In fact, the list is empty. I wonder if this is a selective thing?

After removing free.aol.com, I downloaded and installed the most recent versions of AOL IM and WinAmp, and neither one put it back in the trusted sites zone. It's hard to tell which program is doing this, or if it's something that AOL has discontinued.

Turns out there's a CERT warning about this too:

http://www.kb.cert.org/vuls/id/744139

It was last updated on 5/8/2002 so it's probably safe to presume this issue has been around for awhile :-(

This is old news, but forget AOL for a minute, why on earth is this even possible at all?

Add a Comment

These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. A comment may not include more than three links. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).