Tier-3, a behavioural analysis IT security specialist, claims that America Online (AOL) has effectively left the door ajar in the latest versions of its Instant Messenger (IM) software.
Core Security Technologies, the Boston-based company which discovered the IM flaw and notified AOL of the problem meanwhile, says that details of the flaw have appeared on several bug tracking sites.
By exploiting the vulnerability, an attacker could remotely execute code on a user’s computer and exploit Internet Explorer bugs without user interaction.
Versions affected by the vulnerability are AIM 6.1, AIM 6.2; AIM Pro and AIM Lite.
"The use of Instant Messaging technology poses a security risk to organisations and when there is a problem with the software the risk is greatly increased, users should immediately be moved to a version of AIM that does not contain the vulnerability" said Geoff Sweeney, Tier-3's CTO.
By exploiting this vulnerability, CoreLabs researchers discovered that workstations running AIM were susceptible to the following attack methods:
1. Direct remote execution of arbitrary commands without user interaction.
2. Direct exploitation of Internet Explorer bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
4. Remote instantiation of Active X controls in the corresponding security zone.
5. Cross-site request forgery and token/cookie manipulation using embedded HTML. Because of this, Core Security Technologies is recommending that users switch back to using AOL IM 5.9, or upgrade to v6.5, which is still in beta test.
Back at Tier-3, Sweeney said that under the circumstances it is far better to down grade to a stable non vulnerable version of AOL such as IM 5.9 rather than moving to a later beta version which may not be properly tested.
"The use of IM software in the business environment is a highly contentious issue owing to the benefits it brings alongside the security issues it causes," he said.
"If, however, companies have behavioural analysis software installed on their systems, they can employ the benefits of instant messaging and have a level of protection against any potetial security issues arising from its use," he added.
According to Sweeney, this is because behavioural analysis software can capture IM-loading security attacks, identify data leakage, piracy as well as other unknown security problems.