Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Tier-3 discovers AOL IM flaw

Tier-3 : 27 September, 2007  (Technical Article)
IM flaw exposes Internet Explorer vulnerabilities and increases risk of using instant messaging
Tier-3 claims that America Online (AOL) has effectively left the door ajar in the latest versions of its Instant Messenger (IM) software.

Core Security Technologies, the Boston-based company which discovered the IM flaw and notified AOL of the problem meanwhile, says that details of the flaw have appeared on several bug tracking sites. By exploiting the vulnerability, an attacker could remotely execute code on a user's computer and exploit Internet Explorer bugs without user interaction. Specifically, the vulnerabilities affect. Versions affected by the vulnerability are AIM 6.1, AIM 6.2; AIM Pro and AIM Lite.

'The use of Instant Messaging technology poses a security risk to organisations and when there is a problem with the software the risk is greatly increased, users should immediately be moved to a version of AIM that does not contain the vulnerability' said Geoff Sweeney, Tier-3's CTO.

By exploiting this vulnerability, CoreLabs researchers discovered that workstations running AIM were susceptible to the following attack methods:.

* Direct remote execution of arbitrary commands without user interaction.
* Direct exploitation of Internet Explorer bugs without user interaction. For example, exploitation bugs that normally require the user to click on a URL provided by the attacker can be exploited directly using this attack vector.
* Direct injection of scripting code in Internet Explorer. For example, remotely injecting JavaScript code into the embedded IE control of the AIM client.
* Remote instantiation of Active X controls in the corresponding security zone.
* Cross-site request forgery and token/cookie manipulation using embedded HTML.

Because of this, Core Security Technologies is recommending that users switch back to using AOL IM 5.9, or upgrade to v6.5, which is still in beta test.

Back at Tier-3, Sweeney said that under the circumstances it is far better to down grade to a stable non vulnerable version of AOL such as IM 5.9 rather than moving to a later beta version which may not be properly tested.

'The use of IM software in the business environment is a highly contentious issue owing to the benefits it brings alongside the security issues it causes,' he said.

'If, however, companies have behavioural analysis software installed on their systems, they can employ the benefits of instant messaging and have a level of protection against any potetial security issues arising from its use,' he added.

According to Sweeney, this is because behavioural analysis software can capture IM-loading security attacks, identify data leakage, piracy as well as other unknown security problems.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo