Enterprise Software

Serious AIM flaw allows remote code execution without user interaction

vnunet.com has a report on a serious new AIM vulnerability that could allow remote code execution via instant messaging alone. No user interaction is necessary for the exploit to be successful.

vnunet.com has a report on a serious new AIM vulnerability that could allow remote code execution via instant messaging alone. No user interaction is necessary for the exploit to be successful.

The flaw is disclosed by enterprise security firm Core Security Technologies. According to them, attackers exploiting the vulnerability could remotely execute code on a user's machine, as well as exploit Internet Explorer bugs.

AIM 6.1, 6.2 beta, AIM Pro, and AIM Lite are affected, posing a significant security risk to literally millions of AIM users.

Excerpt from the report:

All of the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML to customize text messages with specific font formats or colours.

The vulnerable AIM clients use an embedded Internet Explorer server control to render this HTML content.

However, as this input is not checked before it is rendered, an attacker could deliver malicious HTML code as part of an instant message to directly exploit Internet Explorer bugs without user interaction.

AOL has acknowledged the problem and is urging users to upgrade to the latest version of the AIM beta client. Alternatively, they can use its Web-based AIM Express service until a fix is ready.

Are you an AIM user? Will this flaw result in you ditching AIM?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

12 comments
seemenow
seemenow

so are the earlier versions that allow u to use encryption software affected? seems only the 6.x versions and up are listed.

paulmah
paulmah

Will this flaw result in you ditching AIM?

DMambo
DMambo

When my kids wore me down and I finally allowed them to use IM, I chose Miranda. It's clean, supports many protocols and the reviews I read were pretty good. The whole IM thing in my house still drives me crazy (how many hours in front of the screen would these kids spend if I let them???), but the kids learned a small lesson in researching different options.

ITinAtl
ITinAtl

I mean, seriously??? What kind of l*ser techie uses anything from AOL?

Larry the Security Guy
Larry the Security Guy

Everyone who uses "anything from AOL" is "some kind of l*ser techie"?

sean bean
sean bean

and what if "corporate" makes the decision AIM's what you are using? what do you suggest they use instead? Can you point up a program worth investigating?

uberg33k50
uberg33k50

To use any thing from AOL as a IT professional is L*mer than L*ME! I have gotten resume's from guys who have an email address ending in @aol.com and I have serious reservations about even taking the time to talk to them.

mhbowman
mhbowman

Yes. It's right up there with My Space. If you're a teenage kid or newbie, OK but if you're an IT professional there's no excuse for it.

cviator
cviator

We have a corporate AIM solution where some front-end precautions have been put in place to address this until a longer term fix is applied. I am confident it will be resolved. If we ditched every tool, application, OS, router, etc because of a temporary security flaw, we would be unable to conduct business. No need to panic or overreact. Lets deal with it and keep business moving forward.

TG2
TG2

Funny that you would only reply in regards to a corporate solution ... how exactly does that corporate solution protect people in their homes? And lets face it, if you have a kid, the kid probably has aim. Your uber home user may protect themselves, but the moment anyone in the house uses an AIM client, they make the whole house vulnerable.. Mommy brought in her office laptop to do some work? Jr gets on the net, fires up his AIM and gets infected with something that spreads to the rest of the house... mommy takes laptop back into work, and behind the firewall there....starts infecting the rest of the office.. Personally? I use Trillian. I've used GAIM too, anything that allowed me to tie into multiple client protocols all in one application... And of course, this is the falicy of using other people's components within your own. Outlook uses the html rendering engine from IE, and look how now just previewing messages can infect you because of IE's flaws (if unpatched) And additionally you are tied to one model of security ... because you're using the IE engine, you're using the IE Zones ... so what if you think some of the restricted zone settings of IE are not for IM's.. because they are tied in the background, you can't make IM restricted zone any more restricted then you'd want your web browser... and yes, there could be reasons you'd want less restrictions in ie's restricted zone for internet browsing, that you might not want/need in an IM client.

TG2
TG2

Never said there weren't vulnerabilities.. just that I use Trillian.. for the most part because it allows ties to the big three (and more) but that it comes to the same things.. because a flaw in trillian might allow cross message client access.. now there's a vector to go after.. :) Either way.. I'd still stay away from AIM and use third party more open based products because the chances are the flaw may not be the same to them, or may be fixed as quickly if not more so..

dirtylaundry
dirtylaundry

http://blog.ceruleanstudios.com/?p=170 As posted on their blog in July: ****************************** In response to the URI security vulnerability released this week, we have updated Trillian 3 to 3.1.7.0. Auto-update should be firing for existing users, and you can use our download page to grab a full installer if you are so inclined. We recommend that all existing Trillian 3.x customers download this latest upgrade. As a result, there will be no Astra build this week. You can thank the three geniuses behind the vulnerability report for their professionalism (read: none) in reporting this vulnerability to the vendor before public disclosure. To the rest of #hack: we?re happy to responsibly fix vulnerabilities as they?re found, but would appreciate some advance notice. ********************* The article on AIM mentions IE, is there a similar affect to Mozilla's Firefox users? or does it matter since IE resides on most Firefox users' computers?

Editor's Picks