id="info"

Enterprise Software

Serious AIM flaw allows remote code execution without user interaction

vnunet.com has a report on a serious new AIM vulnerability that could allow remote code execution via instant messaging alone. No user interaction is necessary for the exploit to be successful.

vnunet.com has a report on a serious new AIM vulnerability that could allow remote code execution via instant messaging alone. No user interaction is necessary for the exploit to be successful.

The flaw is disclosed by enterprise security firm Core Security Technologies. According to them, attackers exploiting the vulnerability could remotely execute code on a user's machine, as well as exploit Internet Explorer bugs.

AIM 6.1, 6.2 beta, AIM Pro, and AIM Lite are affected, posing a significant security risk to literally millions of AIM users.

Excerpt from the report:

All of the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML to customize text messages with specific font formats or colours.

The vulnerable AIM clients use an embedded Internet Explorer server control to render this HTML content.

However, as this input is not checked before it is rendered, an attacker could deliver malicious HTML code as part of an instant message to directly exploit Internet Explorer bugs without user interaction.

AOL has acknowledged the problem and is urging users to upgrade to the latest version of the AIM beta client. Alternatively, they can use its Web-based AIM Express service until a fix is ready.

Are you an AIM user? Will this flaw result in you ditching AIM?

————————————————————————————————————————

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

Editor's Picks