News Stay informed about the latest enterprise technology news and product updates.

Serious security flaw in AOL Instant Messenger

Researchers at Core Security say attackers could run malware on targeted computers by exploiting a flaw in the widely-used AOL Instant Messenger (AIM) application.

Researchers at Core Security Technologies warn that attackers could run malware on targeted computers by exploiting a flaw in the widely-used AOL Instant Messenger (AIM) application. AOL has acknowledged the vulnerability and recommended users upgrade to the latest version of the AIM beta client, which is immune to the problem.

Since we notified AOL, this vulnerability has emerged on several public bug-tracking Web sites.
Iván Arce,
chief technology officerCore Security Technologies

Specifically, an attacker could remotely execute code on a user's computer and exploit Internet Explorer bugs without user interaction, said Iván Arce, Core's chief technology officer. The vulnerabilities affect AIM 6.1 and 6.2 beta, AIM Pro and AIM Lite. Arce called it a serious threat to millions of AIM users.

"Since we notified AOL, this vulnerability has emerged on several public bug-tracking Web sites," Arce said. "It was necessary to bring the details to light immediately so AIM users can assess their risk and take the appropriate measures to protect themselves."

AIM users running vulnerable client software should switch to the non-vulnerable versions: AIM version 5.9, the latest version of the AIM client 6.5 (which is still in beta), or the web-based AIM Express, Arce said.

The vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML (Hyper Text Markup Language) to customize text messages with specific font formats or colors, Arce said. An Internet Explorer object is embedded within AIM to render HTML, making for a rich user experience. Unfortunately, he said, it also makes it easy for attackers to take advantage of users because content isn't properly sanitized.

Messaging security:

Based on the results of exclusive readership research, takes a closer look at the top messaging security challenges facing today's businesses.

Messaging insecurity fuels data leakage fears
: The proliferation of messaging technology means more opportunity for malware to take root and sensitive data to be lifted.

IT pros look for ways to lock down IM: To control growing IM threats, administrators are trying to limit which programs can be used or ban the technology altogether. But that's not always possible.

Messaging Security podcast: Burton Group analyst Diana Kelley discusses the latest threats to messaging security and where the solutions are.

Inside the numbers: A closer look

"Because these clients do not properly sanitize potentially malicious input content before it is rendered, an attacker could deliver malicious HTML code as part of an IM message to directly exploit Internet Explorer bugs without user interaction or to target security configuration weaknesses in Internet Explorer," he said.

According to the Core advisory, machines running the affected AIM programs are susceptible to the following attack methods:

  • Direct remote execution of arbitrary commands without user interaction.
  • Direct exploitation of Internet Explorer bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
  • Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.
  • Remote instantiation of Active X controls in the corresponding security zone.
  • Cross-site request forgery and token/cookie manipulation using embedded HTML.

IT administrators have long lamented the insecurity of IM programs. In a series on IM threats and concerns in December, more than half of 250 respondents said they consider IM a breeding ground for malware.

Nevertheless, only 36% of those who took the survey in August 2006 said they have sound written policies to police IM usage, and more than half said at least some of their users rely on free instant messaging systems like AOL or MSN to communicate at work. Nearly 70% said they do not use an enterprise-class IM product and they do not ban IM. Meanwhile, only 10% of respondents said they use a third-party product to secure IM.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.