In association with heise online

26 September 2007, 11:00

Uninvited remote maintenance via AIM [Update]

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service provider Core Security has released a security advisory describing vulnerabilities in AOL Instant Messenger (AIM). The instant messaging software uses Microsoft's HMTL library mshtml.dll to display messages, but fails to adequately sanitise incoming messages, allowing attackers to execute arbitrary commands on AIM users' computers.

In the advisory, the security researchers explain that a crafted message sent by an attacker to AIM users does not even have to be opened – merely on receiving the message the command line can, for example, be started, allowing arbitrary commands to be executed. Since JavaScript can also be executed via <img>-tags embedded in the message, attackers can execute arbitrary JavaScript in the local zone – i.e. with full access privileges to the computer. The security advisory also includes demonstrations of faked error messages containing data entry forms for user name and password – potentially allowing access data for the AIM network to be stolen.

According to the advisory, AOL has confirmed the vulnerabilities in AIM 6.1, 6.2, Pro and Lite and has categorised them as critical. AOL developers have now improved server side filtering of messages, but, according to Core Security, it is still possible to slip JavaScript past the filters. AOL plans to release an updated, bug-fixed version in mid October. Until then, using the latest beta version, which does not contain this vulnerability, should offer some relief.


Security researcher Aviv Raff writes in his blog that, contrary to previous reports, the beta-version of AIM still includes the flaw. AIM users should stop using the software until an update is available, or alternatively use other IM software such as Miranda-IM.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit