AOL (America Online) has left the door ajar for attacks in the latest versions of its Instant Messenger (IM) software, according to behavioural analysis IT security firm Tier-3.
By exploiting the vulnerability, an attacker could remotely execute code on a user’s computer and exploit Internet Explorer bugs without user interaction. Versions affected by the vulnerability are AIM 6.1, AIM 6.2; AIM Pro and AIM Lite.
Core Security Technologies, the Boston-based company that discovered the IM flaw and notified AOL of the problem, says that details of the flaw have appeared on several bug tracking sites.
“The use of Instant Messaging technology poses a security risk to organisations, and when there is a problem with the software the risk is greatly increased,” says Geoff Sweeney, Tier-3’s CTO. “Users should immediately be moved to a version of AIM that does not contain the vulnerability.”
By exploiting the vulnerability, CoreLabs researchers discovered that workstations running AIM were susceptible to the following attack methods:
Direct remote execution of arbitrary commands without user interaction
Direct exploitation of Internet Explorer bugs without user interaction. Bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector
Direct injection of scripting code in Internet Explorer
Remote instantiation of Active X controls in the corresponding security zone
Cross-site request forgery and token/cookie manipulation using embedded HTML
Core Security Technologies is recommending that users switch back to using AOL IM 5.9, or upgrade to v6.5, which is still in beta test.
Sweeney agrees that, under the circumstances, it is far better to downgrade to a stable non-vulnerable version of AOL. “The use of IM software in the business environment is a highly contentious issue, owing to the benefits it brings alongside the security issues it causes,” he adds.