RealTime IT News

AIM Flaw Could Open Users' Computers to Attack

In the trenches of the instant messaging (IM) wars, America Online Inc. has so far argued against interoperability, citing security concerns on behalf of its AOL Instant Messenger (AIM) users. But a security advisory from @stake Inc., issued Wednesday morning, suggests AIM users may be at risk from the AIM client itself.

According to @stake, a security consulting and research firm based in Cambridge, Mass., the bug poses a serious risk because it does not require AIM's use, merely that it be installed. The client ships by default with current versions of the Netscape Communicator browser, in addition to stand-alone downloads.

The security weakness could allow an attacker -- through malicious HTML e-mail or a malicious Web site -- to remotely take control of a machine with AIM installed.

"This one happens to be real easy to exploit," said Weld Pond, manager of Research & Development, @stake. "In our lab we crafted up a code that would allow an attacker to download a file onto the user's system and then execute it. If it just crashed your instant messenger client that wouldn't be nearly so bad, but we think this is a big vulnerability."

The bug stems from the fact that AIM, when installed, registers the URL protocol "aim:" as a hook into its executable, according to @stake. This allows users to publish their AOL screen names on Web pages and be quickly and easily added to viewers' "Buddy Lists," engage in AIM Chat or otherwise access AIM functionality by simply clicking on a link. In order to achieve this, each "aim:" URL is passed directly to the aim client as if it were put in the command line. For instance, AIM users can type: "aim:goim?Screenname=bob&Message=hi bob" into the command lines of their browsers, and the command will be passed to AIM which opens an instant message box with the words "hi bob."

But @stake said the client software has numerous vulnerabilities that allow a maliciously crafted URL to overflow internal buffers and obtain control of the program.

AIM has more than 64 million users and Pond warned that not all those users utilize the client only at home. He thinks corporations also need to be concerned.

"We find in our network assessments that [AIM] is something that is used in corporations in a big way," he said. "There's millions of these that are actually not just on home computers but they're probably in corporate environments. I think it will be a struggle for IT departments to get a handle on making sure that their infrastructure is not vulnerable given that there's so many -- probably -- unsanctioned clients in their environments."

And IT departments shouldn't rely on firewalls to protect their infrastructure in this case. "As these vulnerabilities are a result of client-initiated communications, most corporate firewall configurations do not guard these environments from attack," @stake wrote in its advisory.

AOL posted a "refresh" version of the AIM client on Dec. 6, but has not gone to great lengths to advertise it's availability or the reason users should download the patched version.

"We recently discovered a potential issue with the Web-based AIM program and immediately fixed it," said Andrew Weinstein, an AOL spokesman. "We have not, however, heard any reports that this exploit has been used in the real world."

As to not warning customers about the need to upgrade, Weinstein said, "We regularly advise our users to upgrade all the time."

"I don't know how AOL is ever going to let all these instant messenger users know that they should upgrade," Pond said. "On the site there's no mention of this problem, there's no release notes about any things that are fixed. Unless people know to upgrade, they'll stay vulnerable, and this is the type of software which I can see a year going by or two yea