Windows versions of AOL Instant Messenger (AIM) contain a vulnerability attackers could use to compromise computers and launch arbitrary code. Dulles, Va.-based America Online Inc. recommends users upgrade to the latest beta version of AIM released this week.
"This is not a passive issue," said AOL spokesman Andrew Weinstein. "It requires the user to actively click onto a malicious URL supplied in an instant message or embedded in a Web page." Weinstein said the problem was first brought to the company's attention a month ago by Reston, Va.-based security firm iDefense Inc. The flaw was also discovered by another group of researchers and reported to Copenhagen, Denmark-based security firm Secunia.
Secunia issued an advisory calling the problem "highly critical" and said it was caused by a boundary error within the handling of "Away" messages that can be exploited to cause a stack-based buffer overflow.
"A malicious Web site can exploit this via the AIM URI handler by passing an overly long argument to the 'goaway?message' parameter," the advisory said. "Successful exploitation may allow execution of arbitrary code on a user's system when … a malicious Web site is visited with certain browsers." Thomas Kristensen, chief technology officer of Secunia, said the flaw could be exploited by any malicious Web site.
Kristensen said the vulnerability has been confirmed in version 5.5.3595 and that other versions may also be affected.
Weinstein said the updated beta version of AIM will be available via the AOL Instant Messenger portal at www.aim.com. In the meantime, he said iDefense has developed a workaround that involves removing the following key from the Windows Registry: HKEY_CLASSES_ROOTaim. He added that the following script can be saved to a file with the .vbs extension and executed to automate the task of removing the relevant URI handler: Set WshShell = CreateObject("WScript.Shell") WshShell.RegDelete "HKCRaim"
Additional information is in iDefense's advisory.