AOL insisted Thursday that a flaw in AOL Instant Messenger (AIM) has been fixed, after a security researcher disputed earlier suggestions AIM users would be protected by upgrading to the latest version of the AIM beta client.
In an email Thursday afternoon, AOL spokesperson Erin Gifford said the company was able to implement server-side fixes and that AIM users are no longer at risk.
In an interview conducted via IM earlier in the day, Israeli vulnerability researcher Aviv Raff said he had conducted further tests on the program and found that the beta version does not fix the flaw, which attackers could exploit to run malware on targeted computers running AIM. Researchers at Core Security Technologies sent out an advisory on the flaw Wednesday.
Specifically, an attacker could remotely execute code on a user's computer and exploit Internet Explorer bugs without user interaction, Core CTO Iván Arce said. The vulnerabilities affect AIM 6.1 and 6.2 beta, AIM Pro and AIM Lite. Arce called it a serious threat to millions of AIM users. Arce said all the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML (Hyper Text Markup Language) to customize text messages with specific font formats or colors. He said an Internet Explorer object is embedded within AIM to render HTML, making for a rich user experience. Unfortunately, he said, it also makes it easy for attackers to take advantage of users because content isn't properly sanitized.
AOL initially acknowledged the vulnerability and recommended users upgrade to the latest version of the AIM beta client, saying that version is immune to the problem. But Raff said that's not the case.
He pointed to an analysis in his Aviv Raff On.NET blog in which he tested proof-of-concept code on the latest beta version and found that by changing the code slightly, a successful exploit could still be carried out.
"The problem with AOL's patch is that they filter specific tags and attributes, instead of fixing the main cause of the vulnerability, which is locking down the local zone of their client's Web-browser control," he wrote. "Core Labs describes a workaround in their advisory which messes up with the registry. I think that the common people should avoid this workaround, and stop using AIM until a real fix from AOL will arrive."
He posted a response from AOL in the blog that read: "We have already fixed our client on these issues and the client is scheduled for a mid-October release. This fix is not yet in the current AIM beta client."
To that, Gifford said, "The concerns that Aviv Raff expressed in his blog have been fully resolved. I can assure you that AIM users are safe."
Raff criticized AOL's slow response, saying he only received a message from the company after they realized from his blog post that their fix was insufficient.