AOL Patches AIM Worm Hole

America Online has shipped a patch for a gaping worm hole that exposes Windows PCs to code execution attacks without the consent of user. The flaw has been patched with AIM 6.5, but shockingly, AOL has not set up any warning or advisory to caution its million of customers.

An Israeli security researcher, Aviv Raff, has studied this issue carefully and has also tested AIM 6.5 against well-known JavaScript and HTMAL injection vulnerabilities and has finally concluded that the software is no longer vulnerable, as per the news by ZDNet on October 15, 2007.

The flaw affects the service of the AIM software which uses the software of Internet Explorer to render HTML messages. By sending a malicious HTML message to a user of AIM, a hacker can operate illegal software on the PC of the victim and can even compel the browser of IE to visit a maliciously encoded Web page.

This flaw was reported by the researchers at Core Centre to AOL almost a month ago and took place because of the way AIM supports the rendering of HTML content through a fixed Internet Explorer server control. Although, according to the reports of PC World on October 15, 2007, AOL claims that it doest not have any knowledge of attacks that exploit this problem.

No doubt, it has settled the specific attack vector of the vulnerability, Raff emphasized on the misappropriation of the Local Zone lockdown. This implies that if a hacker discovers a new way of including deadly script in an HTML AIM message, it would lead him to operating illegal software on the PC of the victim.

Further, Raff has decided to display a proof of concept code which shows how this flaw could be exploited by attackers. But now he has made up his mind to hold up this code until AOL properly fixes its client of AIM. He strongly thinks that with extra effort, the attackers will adjust his proof of concept code to prohibit the protections of AOL and therefore, will create a "massive IM worm".

The users of AOL who are still operating the standalone AIM software should immediately apply this patch.

Related article: AOL Yet to Fix Original Critical Flaw Discovered in September 2007

» SPAMfighter News - 10/30/2007