RealTime IT News

AOL Claims AIM is Safe

Perhaps the most dangerous type of online vulnerability is the one where the user doesn't actually do anything in order to become infected. It is that type of vulnerability that security researchers claim AOL's popular instant messaging client, AIM, was at risk from.

Core Security has issued an advisory noting that AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite were at risk from a vulnerability that could remotely execute code on an AIM user's computer without user interaction. The vulnerability could have potentially placed millions of AIM users at risk.

Israeli security researcher Aviv Raff has also alleged on his blog that there are still issues that need addressing and that users are vulnerable.

An AOL spokesperson told InternetNews.com that the company has addressed the known issues on the server side that have been raised by Aviv Raff and Core Security. A new version of the AIM client that addresses the known issues will be available next week.

The vulnerability that Core Security discovered, according to the National Vulnerability Database, "allows remote attackers to write arbitrary HTML to a notification window via unspecified vectors in circumstances 'when the window of origin is not the main focus.'"

It turns out that Microsoft Internet Explorer DLLs that enable AIM to render HTML and, in this case, also execute code are the root causes.

Ivan Arce, Core Security's CTO, said his firm found the vulnerability accidentally. Arce told InternetNews.com that a Core Security researcher was using AIM and realized that AIM was using IE objects within in it. The researcher figured that if IE is embedded in the AIM client, perhaps IE functions like ActiveX controls would work, which is eventually what the researcher determined.

AOL said it has addressed the issue by employing host-side filtering on the AIM servers to block the potentially malicious content from being sent to AIM clients.

But that doesn't necessarily constitute a full fix in Arce's view.

"It is fixed but not fixed by filtering on the server; that doesn't remove the bug," Arce argued. "The right fix is to make the bug not exist."

The older AIM 5.9 Classic version does not use the IE objects and is not vulnerable. AOL has also made fixes to it under development in AIM 6.5 client as well.

"The filtering mechanism doesn't remove the bug, it just prevents exploitation, and they are preventing exploitation as we speak," Arce added. "It's good mediation but it's not the final solution."

Though the flaw is related to AOL's use of IE objects, Microsoft is not to blame, according to Arce. He argued that there are ways to embed IE safely and ways to embed IE not safely.

"AOL didn't do it right," Arce alleged. However, Arce said that AOL has improved over the years. When he reported vulnerabilities to AOL in 2003, the response that he received was very poor and AOL didn't care. In 2006 they were not as bad, but still not as good as Arce would have liked.

"This year was better than last year and has been an improvement," Arce said. "We would still like it to be faster, but they're getting better."

Arce wasn't the only one claiming that AIM users were at risk from remote exploitation.