In the trenches of the instant messaging (IM) wars, America Online Inc. has so far argued against interoperability, citing security concerns on behalf of its AOL Instant Messenger (AIM) users. But a security advisory from @stake Inc., issued Wednesday morning, suggests AIM users may be at risk from the AIM client itself.
According to @stake, a security consulting and research firm based in Cambridge, Mass., the bug poses a serious risk because it does not require AIM’s use, merely that it be installed. The client ships by default with current versions of the Netscape Communicator browser, in addition to stand-alone downloads.
The security weakness could allow an attacker — through malicious HTML e-mail or a malicious Web site — to remotely take control of a machine with AIM installed.
“This one happens to be real easy to exploit,” said Weld Pond, manager of Research & Development, @stake. “In our lab we crafted up a code that would allow an attacker to download a file onto the user’s system and then execute it. If it just crashed your instant messenger client that wouldn’t be nearly so bad, but we think this is a big vulnerability.”
The bug stems from the fact that AIM, when installed, registers the URL protocol “aim:” as a hook into its executable, according to @stake. This allows users to publish their AOL screen names on Web pages and be quickly and easily added to viewers’ “Buddy Lists,” engage in AIM Chat or otherwise access AIM functionality by simply clicking on a link. In order to achieve this, each “aim:” URL is passed directly to the aim client as if it were put in the command line. For instance, AIM users can type: “aim:goim?Screenname=bob&Message=hi bob” into the command lines of their browsers, and the command will be passed to AIM which opens an instant message box with the words “hi bob.”
But @stake said the client software has numerous vulnerabilities that allow a maliciously crafted URL to overflow internal buffers and obtain control of the program.
AIM has more than 64 million users and Pond warned that not all those users utilize the client only at home. He thinks corporations also need to be concerned.
“We find in our network assessments that [AIM] is something that is used in corporations in a big way,” he said. “There’s millions of these that are actually not just on home computers but they’re probably in corporate environments. I think it will be a struggle for IT departments to get a handle on making sure that their infrastructure is not vulnerable given that there’s so many — probably — unsanctioned clients in their environments.”
And IT departments shouldn’t rely on firewalls to protect their infrastructure in this case. “As these vulnerabilities are a result of client-initiated communications, most corporate firewall configurations do not guard these environments from attack,” @stake wrote in its advisory.
AOL posted a “refresh” version of the AIM client on Dec. 6, but has not gone to great lengths to advertise it’s availability or the reason users should download the patched version.
“We recently discovered a potential issue with the Web-based AIM program and immediately fixed it,” said Andrew Weinstein, an AOL spokesman. “We have not, however, heard any reports that this exploit has been used in the real world.”
As to not warning customers about the need to upgrade, Weinstein said, “We regularly advise our users to upgrade all the time.”
“I don’t know how AOL is ever going to let all these instant messenger users know that they should upgrade,” Pond said. “On the site there’s no mention of this problem, there’s no release notes about any things that are fixed. Unless people know to upgrade, they’ll stay vulnerable, and this is the type of software which I can see a year going by or two yea
rs going by before someone will upgrade their software. And they’re going to be vulnerable that whole time.”
@stake suggested that users who cannot upgrade easily should uninstall AIM through the Add/Remove Programs control panel. Alternatively, registry key settings can be changed to prevent AIM from being launched by a malicious URL. However, AIM rewrites registry settings when it is launched, undoing any protective patches unless it is done through Windows NT or Windows 2000, both of which can enforce access control on registry keys.
@stake said the following key values should be set to empty:
Users should then change the security permissions on those keys to READ-ONLY.
Another alternative is to delete the registry key — HKEY_CLASSES_ROOT\aim\shell\open\command — following each launch of AIM.
Environments that utilize application proxies or other filtering tools can filter out “aim:” URLs at the filtering point.