AOL Flaw Leaves Users Defenseless
Several versions of AOL's Instant Messaging software have been found to have a very nasty security hole. Basically, the newly-discovered flaw allows anyone sending you message to also run arbitrary commands and use Internet Explorer.
September 28, 2007
The affected versions are AIM 6.1 (184.108.40.206), AIM 6.2 (220.127.116.11), AIM Pro and AIM Lite.
“To support rendering of HTML content, the vulnerable IM clients use an embedded Internet Explorer server control. Unfortunately they do not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message to directly exploit Internet Explorer bugs or to target IE’s security configuration weaknesses,” Core Security reports.
As it follows, the systems might be exposed to five different types of attack:
- Direct remote execution of arbitrary commands without user interaction
- Direct exploitation of IE bugs without user interaction
- Remote instantiation of Active X controls in the corresponding security zone
- Cross-site request forgery and token/cookie manipulation using embedded HTML
At present time the only version not affected by the flaw are AIM 6.5 (18.104.22.168), AIM Express and Classic AIM 5.9.