The affected versions are AIM 6.1 (6.1.41.2), AIM 6.2 (6.2.32.1), AIM Pro and AIM Lite.
“To support rendering of HTML content, the vulnerable IM clients use an embedded Internet Explorer server control. Unfortunately they do not properly sanitize the potentially malicious input content to be rendered and, as a result, an attacker might provide malicious HTML content as part of an IM message to directly exploit Internet Explorer bugs or to target IE’s security configuration weaknesses,” Core Security reports.
As it follows, the systems might be exposed to five different types of attack:
– Direct remote execution of arbitrary commands without user interaction
– Direct exploitation of IE bugs without user interaction
– Direct injection of scripting code in Internet Explorer(remotely injecting JavaScript code into the embedded IE control of the AIM client, for instance)
– Remote instantiation of Active X controls in the corresponding security zone
– Cross-site request forgery and token/cookie manipulation using embedded HTML
At present time the only version not affected by the flaw are AIM 6.5 (6.5.3.12), AIM Express and Classic AIM 5.9.