AOL patches flaw with AIM 6.5; experts warn against corporate platform use

Share this article:
AOL patched a flaw allowing remote code execution when it released AOL Instant Messenger (AIM) 6.5, but researchers are still urging caution for enterprise users of the application.

CoreSecurity last month disclosed a flaw in AIM versions 6.1, 6.2 beta, AIM Pro and AIM Lite that could be exploited to launch several types of attacks. The flaw also made it possible to inject scripting code, including JavaScript, into a compromised PC.

Researcher Aviv Raff said Sunday on his blog that AOL has patched the flaw, but attackers will find other holes in the instant messaging (IM) platform.

Raff did not release proof-of-concept (PoC) code for the flaw, saying he would refrain “until AOL will fix their client properly.”

“This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm,” he said.

An AOL spokesperson said today that the Dulles, Va.-web giant fixed all known AIM security issues when it issued version 6.5.

Ivan Arce, CoreSecurity CTO, told SCMagazineUS.com today that if enterprise employees must use AIM, they should use a less vulnerable version, a compatible IM platform from a third-party vendor, or implement workarounds calling for local machine zone lockdown.

“What they did in [version] 6.5 is patch the specific [issue] that was found,” he said. “However, their AIM client remains weak in terms of the design.”

Researchers have often warned that IM is gaining popularity as an attack vector. Akonix has tallied 297 malicious code attacks for the first nine months of this year.

Graham Cluley, senior technology consultant at Sophos, told SCMagazineUS.com today that the flaw should be a wakeup call to system administrators about the use of IM in the workplace.

“The problem had been that AOL missed patching [the flaw] the first time around, so obviously there's been concern…but the bigger story here is, why are your users using AIM to begin with?” he said. “AOL instant messenger really should be a consumer product.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.