'Highly critical' flaw in AOL Instant Messenger

Article

'Highly critical' flaw in AOL Instant Messenger

Windows versions of AOL Instant Messenger (AIM) contain a vulnerability attackers could use to compromise computers and launch arbitrary code. Dulles, Va.-based America Online Inc. recommends users upgrade to the latest beta version of AIM released this week.

"This is not a passive issue," said AOL spokesman Andrew Weinstein. "It requires the user to actively click onto a malicious URL supplied in an instant message or embedded in a Web page." Weinstein said the problem was first brought to the company's attention a month ago by Reston, Va.-based security firm iDefense Inc. The flaw was also discovered by another group of researchers and reported to Copenhagen, Denmark-based security firm Secunia.

Secunia issued an

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

advisory calling the problem "highly critical" and said it was caused by a boundary error within the handling of "Away" messages that can be exploited to cause a stack-based buffer overflow.

"A malicious Web site can exploit this via the AIM URI handler by passing an overly long argument to the 'goaway?message' parameter," the advisory said. "Successful exploitation may allow execution of arbitrary code on a user's system when … a malicious Web site is visited with certain browsers." Thomas Kristensen, chief technology officer of Secunia, said the flaw could be exploited by any malicious Web site.

Kristensen said the vulnerability has been confirmed in version 5.5.3595 and that other versions may also be affected.

Weinstein said the updated beta version of AIM will be available via the AOL Instant Messenger portal at www.aim.com. In the meantime, he said iDefense has developed a workaround that involves removing the following key from the Windows Registry: HKEY_CLASSES_ROOTaim. He added that the following script can be saved to a file with the .vbs extension and executed to automate the task of removing the relevant URI handler: Set WshShell = CreateObject("WScript.Shell") WshShell.RegDelete "HKCRaim"

Additional information is in iDefense's advisory.