AOL's AIM update alert bothers upgrade holdouts

AOL acknowledges that unless users go through the upgrade process there is no way to get rid of the alert

Some AIM users are angry about a recent alert message AOL displays on their screens urging them to upgrade to the newest version of the instant messaging software.

The alert, delivered in a rectangular box that appears on the screen's lower right hand corner, can't be turned off.

If a user closes the box, the alert will pop back up minutes later. If left alone, the alert will periodically position itself as the primary active window, interrupting the user's current activity.

AOL acknowledges that, unless users go through the upgrade process, there is no way to get rid of the alert.

"Normally, upgrades are optional. However, in this case we are highly encouraging users to upgrade from 6.0 to 6.1 because of some security updates that are included in the new release," an AOL spokeswoman said via e-mail.

The alert, titled "Active Update," reads: "The following update is ready to install. AIM Software - 6.1 GM Update: This version delivers new features and important security updates. Select 'Install Now' and upgrade today."

The alert provides no information about the security updates. The AIM Web site doesn't appear to contain any information about the security fixes either.

The AOL spokeswoman explained that the main security fix in version 6.1 addresses file sharing, which requires the sender and recipient to establish a direct PC-to-PC connection.

"Essentially, if you used file sharing to send a folder -- as opposed to sending a single file -- there was the potential for a hacker to access your computer," she wrote.

Beyond the security fixes, AIM 6.1 is the Vista-compatible client software and provides faster performance, she wrote.

If users don't want to update to 6.1, they must either learn to live with the alert on their desktop or turn off AIM altogether. But some users want a middle ground: declining the update and getting rid of the alert.

In this discussion forum thread, several users report being on the verge of abandoning the AIM service altogether if AOL doesn't stop the insistent alerts, which they find overly intrusive and, as one user wrote, "a royal pest."

On May 29, AOL started beaming the alert to a small portion of users, and expanded the scope of recipients over the following two weeks. Since June 11, the alert has been hitting all AIM users who haven't upgraded, according to the spokeswoman.

The situation highlights the often difficult balancing act vendors face when their software products need to get updated in order to address security issues, industry analysts said.

"Vendors are trying to reach a compromise between improving the security of their software and making updates as unobtrusive as possible," said Michael D. Osterman, president of Osterman Research Inc.

IM vendors in particular are becoming more aggressive with their security patches in response to increased activity from malicious hackers, Osterman said.

"The IM vendors have realized they have to get serious about security and about getting users to upgrade their software. The downside is that it can be irritating to users, but, unfortunately, it's necessary," Osterman said.

Last week, IM security vendor Akonix Systems Inc. reported tracking 36 malicious code attacks in IM networks during June, an 80 percent increase over May.

Beyond the specific AIM situation, it's recommended that end users in general get into a habit of updating their PC software, said Chris Taschner, a vulnerability analyst at the Computer Emergency Response Team (CERT) Coordination Center of Carnegie Mellon University's Software Engineering Institute.

Whenever possible, vendors should deliver the updates in the background , as transparently as possible to end users, Taschner said. "End users shouldn't have to be security experts to use software."

If vendors will not update their software automatically in the background, they should make their policies for notifying end users about new versions very clear, he said. This way, end users will know how to distinguish between a legitimate and fraudulent security alert, Taschner said.

Join the discussion
Be the first to comment on this article. Our Commenting Policies