The newly released AOL Instant Messenger (AIM) 6.5 closes a security hole attackers could have used to run malware on targeted computers, but one researcher warns that the core vulnerability has yet to be fixed.
In an interview conducted Tuesday morning, Israeli vulnerability researcher Aviv Raff said he tested the newest version of the popular IM application against AIM vulnerabilities he and researchers at Core Security Technologies warned about last month. AIM 6.5 fixes the specific attack vector of the vulnerability, he said, but it still does not incorporate the Local Zone lockdown.
"This means that if someone finds another way to inject a script to a message, it will still be possible to execute arbitrary code from remote [locations]," he said, adding that the vendor also failed to release a proper advisory with release notes outlining the security issues addressed in the update. "It doesn't surprise me, because from the beginning [AOL] has fixed the attack vectors instead of fixing the main cause of the problem, which is rendering the IM messages in unlocked Local Zone."
He added in his blog that he's postponing the release of his proof-of-concept (PoC) until AOL fixes the client properly. "This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm," he said.
Until the issue is fully addressed, Raff recommended users follow the AIM workaround Core outlined in its advisory. Core recommended that users running AIM on Microsoft Windows XP SP2 or Windows Server 2003 SP1 implement Microsoft's "Internet Explorer Local Machine Zone Lockdown" recommendations to mitigate risk, and outlined the steps users can take to do so.
After the flaw was first disclosed last month, AOL spokesperson Erin Gifford said the company was able to implement server-side fixes and that AIM users are no longer at risk. She did not immediately respond to a request for comment on the latest developments, specifically Raff's claim that the core flaw remains unfixed.
IT administrators have long lamented the insecurity of IM programs. In a SearchSecurity.com series on IM threats and concerns in December, more than half of 250 respondents said they consider IM a breeding ground for malware.
Nevertheless, only 36% of those who took the survey in August 2006 said they have sound written policies to police IM usage, and more than half said at least some of their users rely on free instant messaging systems like AOL or MSN to communicate at work. Nearly 70% said they do not use an enterprise-class IM product and they do not ban IM. Meanwhile, only 10% of respondents said they use a third-party product to secure IM.