Skip to main content

AOL has left door wide open over IM flaw, says Security firm

Tier-3, a behavioural analysis IT security specialist, claims that America Online (AOL) has effectively left the door ajar in the latest versions of its Instant Messenger (IM) software.

Core Security Technologies, the Boston-based company which discovered the IM flaw and notified AOL of the problem meanwhile, says that details of the flaw have appeared on several bug tracking sites.

By exploiting the vulnerability, an attacker could remotely execute code on a user’s computer and exploit Internet Explorer bugs without user interaction.

Versions affected by the vulnerability are AIM 6.1, AIM 6.2; AIM Pro and AIM Lite.

"The use of Instant Messaging technology poses a security risk to organisations and when there is a problem with the software the risk is greatly increased, users should immediately be moved to a version of AIM that does not contain the vulnerability" said Geoff Sweeney, Tier-3's CTO.

By exploiting this vulnerability, CoreLabs researchers discovered that workstations running AIM were susceptible to the following attack methods:

1. Direct remote execution of arbitrary commands without user interaction.
2. Direct exploitation of Internet Explorer bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
3. Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.
4. Remote instantiation of Active X controls in the corresponding security zone.
5. Cross-site request forgery and token/cookie manipulation using embedded HTML. Because of this, Core Security Technologies is recommending that users switch back to using AOL IM 5.9, or upgrade to v6.5, which is still in beta test.

Back at Tier-3, Sweeney said that under the circumstances it is far better to down grade to a stable non vulnerable version of AOL such as IM 5.9 rather than moving to a later beta version which may not be properly tested.

"The use of IM software in the business environment is a highly contentious issue owing to the benefits it brings alongside the security issues it causes," he said.

"If, however, companies have behavioural analysis software installed on their systems, they can employ the benefits of instant messaging and have a level of protection against any potetial security issues arising from its use," he added.

According to Sweeney, this is because behavioural analysis software can capture IM-loading security attacks, identify data leakage, piracy as well as other unknown security problems.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.