Flaw May Leave AIM Open to Attack

Security experts Wednesday uncovered what they call a “major security vulnerability” in the latest stable (4.7.2480) and beta
(4.8.2616) versions of AOL Time Warner’s AOL Instant Messenger (AIM) for Windows. AOL said AIM has more than 100 million users.

“This vulnerability will allow remote penetration of the victim’s system without any indication as to who performed the attack,”
researchers with non-profit security research group w00w00 Security Development said Wednesday. “There is no opportunity to refuse
the request. This does not affect the non-Windows versions, because the non-Windows versions currently do not yet support the
feature that this vulnerability occurs in.”

According to w00w00, the vulnerability is the result of an overflow in the code that parses a game request in the “Play Game with
Buddy” feature.

“The implications of this vulnerability are huge and leave the door wide open for a worm not unlike those that Microsoft Outlook,
IIS, et al, have all had,” the w00w00 researchers said. “An exploit could easily be amended to download itself off the Web,
determine the buddies of the victim, and then attack them also. Given the general nature of the social networks and how they are
structured, we predict that it wouldn’t take long for such an attack to propagate.”

AOL said Wednesday afternoon that it is working on a fix.

“We’ve identified the issue and have developed a resolution,” said AOL spokesman Andrew Weinstein. “That resolution should be deployed within the next day or two.”

Weinstein said AOL will utilize a server-side patch so that users will not need to download it.

w00w00 noted that it is constrained by the Digital Millennium Copyright Act (DMCA) from providing a patch for the vulnerability.
According to the DMCA, if a product is released in binary form only in order to protect its technologies (as AIM is), it is a
violation to attempt to reverse engineer the file.

“Normally we would be inclined to provide a fix, but it is illegal to reverse engineer the AIM executable, so we are unable to
provide a patch which will modify it,” w00w00 said.

While waiting for AOL to fix the flaw, w00w00 said users could protect themselves with filtering software like Wicon Software‘s AIM Filter, available for free download.

w00w00 has posted the source code for the exploit on its Web site.

News Around the Web