Core Security Technologies Discovers Vulnerability in AOL's Popular AIM Instant Messaging Software

CORE SECURITY TECHNOLOGIES DISCOVERS VULNERABILITY IN AOL´s POPULAR AIM INSTANT MESSAGING SOFTWARE

Millions of Users Running AIM Clients Vulnerable to Several High-Risk Attack Methods

BOSTON, MA - September 26, 2007 - Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for performing enterprise security assurance testing, today issued an advisory disclosing a vulnerability that could severely impact the millions of registered users of America Online’s instant-messaging service, AIM. Researchers from CoreLabs, the research arm of Core Security, discovered that, by exploiting this vulnerability, an attacker could remotely execute code on a user’s computer and exploit Internet Explorer bugs without user interaction. Specifically, the vulnerabilities affect:

  • AIM 6.1 (and 6.2 beta) - the latest version of AOL’s instant messaging application, which allows its users to communicate in real time via text, voice and video over the Internet.
  • AIM Pro - AOL’s version of AIM for corporate users, which includes additional business-grade security functionality integration with email clients and other productivity applications.
  • AIM Lite - a reference application developed by AOL that is used to test new technology and is available to the public in the form of a “light IM client.”



“This vulnerability poses a significant security risk to millions of AIM users.” said Iván Arce, CTO at Core Security Technologies. “Core Security has alerted AOL to this threat and has provided full technical details about the vulnerability so that they can address it in their products. Since we notified AOL, this vulnerability has emerged on several public bug-tracking websites. Therefore, we believe it is necessary to bring precise details about this issue to light immediately, so that AIM users and organizations using AIM can be made aware of the threat, assess their risk, and take the appropriate measures to ensure that they are protected.”

AIM users running vulnerable client software should switch to the non-vulnerable versions: AIM version 5.9, the latest version of the AIM client 6.5 (which is still in beta), or the web-based AIM Express.

Vulnerability Specifics:

CoreLabs discovered a vulnerability in AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite, which exposes workstations running these IM clients and their users to several immediate high-risk attack vectors. All of the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML (Hyper Text Markup Language) to customize text messages with specific font formats or colors. To render this HTML content, the vulnerable AIM clients use an embedded Internet Explorer server control. Because these clients do not properly sanitize potentially malicious input content before it is rendered, an attacker could deliver malicious HTML code as part of an IM message to directly exploit Internet Explorer bugs without user interaction or to target security configuration weaknesses in Internet Explorer.

By exploiting this vulnerability, CoreLabs researchers discovered that workstations running AIM were susceptible to the following attack methods:

  • Direct remote execution of arbitrary commands without user interaction.
  • Direct exploitation of Internet Explorer bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
  • Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.
  • Remote instantiation of Active X controls in the corresponding security zone.
  • Cross-site request forgery and token/cookie manipulation using embedded HTML.



To protect against potential attacks, Core Security recommends that users download a non-vulnerable version of AIM, such as Classic AIM 5.9 or the beta version of the next release 6.5.3.12, or use AOL’s web-based AIM Express service until the problem has been addressed by AOL.

AOL has acknowledged this problem and recommends that users of AIM upgrade to the latest version of the AIM beta client, which can be found at beta.aol.com.

For more information on this vulnerability and the systems affected, please visit:

http://www.coresecurity.com/?action=item&id=1924



About CoreLabs


CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at:  http://www.coresecurity.com/corelabs/.

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company’s flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

Contacts:

Dave Bowker or Tim Whitman

Schwartz Communications

781 684-0770

coresecurity@schwartz-pr.com

Wed, September 26