Perhaps the most dangerous type of online vulnerability is the one where the
user doesn’t actually do anything in order to become infected. It is that
type of vulnerability that security researchers claim AOL’s popular instant
messaging client, AIM, was at risk from.
Core Security has issued an advisory noting that AIM 6.1 (and 6.2 beta), AIM
Pro and AIM Lite were at risk from a vulnerability that could remotely
execute code on an AIM user’s computer without user interaction. The
vulnerability could have potentially placed millions of AIM users at risk.
Israeli security researcher Aviv Raff has also alleged on his blog that there are still issues that need addressing and that users are vulnerable.
An AOL spokesperson told InternetNews.com that the company has addressed the known issues on the server side that have been raised by Aviv Raff and Core Security. A new version of the AIM client that addresses the known issues will be available next week.
The vulnerability that Core Security discovered, according to the National Vulnerability Database, “allows remote attackers to write arbitrary HTML to a notification window via unspecified vectors in circumstances ‘when the window of origin is not the main focus.'”
It turns out that Microsoft Internet Explorer DLLs
Ivan Arce, Core Security’s CTO, said his firm found the
vulnerability accidentally. Arce told InternetNews.com that a Core
Security researcher was using AIM and realized that AIM was using IE objects within in it. The researcher figured that if IE is
embedded in the AIM client, perhaps IE functions like ActiveX controls would
work, which is eventually what the researcher determined.
AOL said it has addressed the issue by employing host-side
filtering on the AIM servers to block the potentially malicious content from
being sent to AIM clients.
But that doesn’t necessarily constitute a full fix in Arce’s view.
“It is fixed but not fixed by filtering on the server; that doesn’t remove
the bug,” Arce argued. “The right fix is to make the bug not exist.”
The older AIM 5.9 Classic version does not use the IE objects and is not
vulnerable. AOL has also made fixes to it under development in AIM 6.5 client
as well.
“The filtering mechanism doesn’t remove the bug, it just prevents
exploitation, and they are preventing exploitation as we speak,” Arce added.
“It’s good mediation but it’s not the final solution.”
Though the flaw is related to AOL’s use of IE objects, Microsoft is not to
blame, according to Arce. He argued that there are ways to embed IE safely
and ways to embed IE not safely.
“AOL didn’t do it right,” Arce alleged. However, Arce said that AOL has improved over the years. When he reported vulnerabilities to AOL in
2003, the response that he received was very poor and AOL didn’t care. In
2006 they were not as bad, but still not as good as Arce would have liked.
“This year was better than last year and has been an improvement,” Arce
said. “We would still like it to be faster, but they’re getting better.”
Arce wasn’t the only one claiming that AIM users were at risk from remote
exploitation.