Researchers at Core Security Technologies warn that attackers could run malware on targeted computers by exploiting a flaw in the widely-used AOL Instant Messenger (AIM) application. AOL has acknowledged the vulnerability and recommended users upgrade to the latest version of the AIM beta client, which is immune to the problem.
Specifically, an attacker could remotely execute code on a user's computer and exploit Internet Explorer bugs without user interaction, said Iván Arce, Core's chief technology officer. The vulnerabilities affect AIM 6.1 and 6.2 beta, AIM Pro and AIM Lite. Arce called it a serious threat to millions of AIM users.
"Since we notified AOL, this vulnerability has emerged on several public bug-tracking Web sites," Arce said. "It was necessary to bring the details to light immediately so AIM users can assess their risk and take the appropriate measures to protect themselves."
AIM users running vulnerable client software should switch to the non-vulnerable versions: AIM version 5.9, the latest version of the AIM client 6.5 (which is still in beta), or the web-based AIM Express, Arce said.
The vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML (Hyper Text Markup Language) to customize text messages with specific font formats or colors, Arce said. An Internet Explorer object is embedded within AIM to render HTML, making for a rich user experience. Unfortunately, he said, it also makes it easy for attackers to take advantage of users because content isn't properly sanitized.
"Because these clients do not properly sanitize potentially malicious input content before it is rendered, an attacker could deliver malicious HTML code as part of an IM message to directly exploit Internet Explorer bugs without user interaction or to target security configuration weaknesses in Internet Explorer," he said.
According to the Core advisory, machines running the affected AIM programs are susceptible to the following attack methods:
- Direct remote execution of arbitrary commands without user interaction.
- Direct exploitation of Internet Explorer bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
- Remote instantiation of Active X controls in the corresponding security zone.
- Cross-site request forgery and token/cookie manipulation using embedded HTML.
IT administrators have long lamented the insecurity of IM programs. In a SearchSecurity.com series on IM threats and concerns in December, more than half of 250 respondents said they consider IM a breeding ground for malware.
Nevertheless, only 36% of those who took the survey in August 2006 said they have sound written policies to police IM usage, and more than half said at least some of their users rely on free instant messaging systems like AOL or MSN to communicate at work. Nearly 70% said they do not use an enterprise-class IM product and they do not ban IM. Meanwhile, only 10% of respondents said they use a third-party product to secure IM.