AOL patched a flaw allowing remote code execution when it released AOL Instant Messenger (AIM) 6.5, but researchers are still urging caution for enterprise users of the application.CoreSecurity last month disclosed a flaw in AIM versions 6.1, 6.2 beta, AIM Pro and AIM Lite that could be exploited to launch several types of attacks, including script code injection.
Researcher Aviv Raff said Sunday on his blog that AOL has patched the flaw, but attackers will find other holes in the instant messaging (IM) platform.
Raff did not release proof-of-concept (PoC) code for the flaw, saying he would refrain “until AOL will fix their client properly.”
“This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm,” he said.
An AOL spokesperson said today that the company fixed all known AIM security issues when it issued version 6.5.
Ivan Arce, CoreSecurity CTO, said that if enterprise employees must use AIM, they should use a less vulnerable version, a compatible IM platform from a third-party vendor, or implement workarounds calling for local machine zone lockdown.