AIM Flaw Could Open Users' Computers to Attack
Page 1 of 2
In the trenches of the instant messaging (IM) wars, America Online Inc. has so far argued against interoperability, citing security concerns on behalf of its AOL Instant Messenger (AIM) users. But a security advisory from @stake Inc., issued Wednesday morning, suggests AIM users may be at risk from the AIM client itself.
According to @stake, a security consulting and research firm based in Cambridge, Mass., the bug poses a serious risk because it does not require AIM's use, merely that it be installed. The client ships by default with current versions of the Netscape Communicator browser, in addition to stand-alone downloads.
The security weakness could allow an attacker -- through malicious HTML e-mail or a malicious Web site -- to remotely take control of a machine with AIM installed.
"This one happens to be real easy to exploit," said Weld Pond, manager of Research & Development, @stake. "In our lab we crafted up a code that would allow an attacker to download a file onto the user's system and then execute it. If it just crashed your instant messenger client that wouldn't be nearly so bad, but we think this is a big vulnerability."
But @stake said the client software has numerous vulnerabilities that allow a maliciously crafted URL to overflow internal buffers and obtain control of the program.
AIM has more than 64 million users and Pond warned that not all those users utilize the client only at home. He thinks corporations also need to be concerned.
"We find in our network assessments that [AIM] is something that is used in corporations in a big way," he said. "There's millions of these that are actually not just on home computers but they're probably in corporate environments. I think it will be a struggle for IT departments to get a handle on making sure that their infrastructure is not vulnerable given that there's so many -- probably -- unsanctioned clients in their environments."
And IT departments shouldn't rely on firewalls to protect their infrastructure in this case. "As these vulnerabilities are a result of client-initiated communications, most corporate firewall configurations do not guard these environments from attack," @stake wrote in its advisory.
AOL posted a "refresh" version of the AIM client on Dec. 6, but has not gone to great lengths to advertise it's availability or the reason users should download the patched version.
"We recently discovered a potential issue with the Web-based AIM program and immediately fixed it," said Andrew Weinstein, an AOL spokesman. "We have not, however, heard any reports that this exploit has been used in the real world."
As to not warning customers about the need to upgrade, Weinstein said, "We regularly advise our users to upgrade all the time."
"I don't know how AOL is ever going to let all these instant messenger users know that they should upgrade," Pond said. "On the site there's no mention of this problem, there's no release notes about any things that are fixed. Unless people know to upgrade, they'll stay vulnerable, and this is the type of software which I can see a year going by or two yea