Millions of computers with registered copies of AOL Instant Messenger (AIM) are at risk to a variety of attacks via a vulnerability in AIM 6.1, AIM beta 6.2, AIM Pro and AIM Lite, according to researchers at Core Security.The flaw, which exists in AIM's HTML rendering function that relies on an embedded Internet Explorer (IE) server control, could allow an attacker to deliver malicious HTML code as part of a conversation, according to Core. This permits an attacker to exploit IE without user interaction, or target security configuration weaknesses in the browser.
Other flaws included remote exploitation of ActiveX controls in the corresponding security zone and cross-site request forgery and token and cookie manipulation using embedded HTML.
Ivan Arce, Core Security chief technology officer, said that the company discovered the flaw on 1 Aug and reported it to AOL on 21 Aug after investigating the problem for three weeks.
Core recommends that users download and install a non-vulnerable version of AIM or use AOL's web-based AIM Express service until AOL has fixed the problem. Classic AIM 5.9 and the beta version of the next release (18.104.22.168) are not vulnerable to the flaw, according to Arce.
“[The types of vulnerabilities can appear when an application] offers more functionality and becomes more complex," as was the case when AOL moved from AIM 5.9 to 6.1, Arce said. "When you expand the footprint and complexity of an application, it's more prone to problems, and that's exactly what happened in this case."
Core said AOL has acknowledged the problem and recommends that AIM users upgrade to the latest version of the AIM beta client.
"The safety and security of AIM users is of utmost importance to us," AOL said in a statement. "To that end, we quickly take the necessary steps to block malicious content from reaching our users. We have resolved all of the issues presented to us by Core Security within all past, current and future versions of AIM."
Core Security, however, "believes otherwise."
Core said in a prepared release that the fix in place is a “Band-Aid,” covering only exploitation over the IM channel on AOL server, but many AIM users are still at risk.