vnunet.com has a report on a serious new AIM vulnerability that could allow remote code execution via instant messaging alone. No user interaction is necessary for the exploit to be successful.
The flaw is disclosed by enterprise security firm Core Security Technologies. According to them, attackers exploiting the vulnerability could remotely execute code on a user's machine, as well as exploit Internet Explorer bugs.
AIM 6.1, 6.2 beta, AIM Pro, and AIM Lite are affected, posing a significant security risk to literally millions of AIM users.
All of the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML to customize text messages with specific font formats or colours.
The vulnerable AIM clients use an embedded Internet Explorer server control to render this HTML content.
However, as this input is not checked before it is rendered, an attacker could deliver malicious HTML code as part of an instant message to directly exploit Internet Explorer bugs without user interaction.
Are you an AIM user? Will this flaw result in you ditching AIM?
————————————————————————————————————————Stay on top of the latest tech news
Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!
Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.