AOL patches flaw with AIM 6.5; experts warn against corporate platform use

Share this article:
AOL patched a flaw allowing remote code execution when it released AOL Instant Messenger (AIM) 6.5, but researchers are still urging caution for enterprise users of the application.

CoreSecurity last month disclosed a flaw in AIM versions 6.1, 6.2 beta, AIM Pro and AIM Lite that could be exploited to launch several types of attacks. The flaw also made it possible to inject scripting code, including JavaScript, into a compromised PC.

Researcher Aviv Raff said Sunday on his blog that AOL has patched the flaw, but attackers will find other holes in the instant messaging (IM) platform.

Raff did not release proof-of-concept (PoC) code for the flaw, saying he would refrain “until AOL will fix their client properly.”

“This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm,” he said.

An AOL spokesperson said today that the Dulles, Va.-web giant fixed all known AIM security issues when it issued version 6.5.

Ivan Arce, CoreSecurity CTO, told SCMagazineUS.com today that if enterprise employees must use AIM, they should use a less vulnerable version, a compatible IM platform from a third-party vendor, or implement workarounds calling for local machine zone lockdown.

“What they did in [version] 6.5 is patch the specific [issue] that was found,” he said. “However, their AIM client remains weak in terms of the design.”

Researchers have often warned that IM is gaining popularity as an attack vector. Akonix has tallied 297 malicious code attacks for the first nine months of this year.

Graham Cluley, senior technology consultant at Sophos, told SCMagazineUS.com today that the flaw should be a wakeup call to system administrators about the use of IM in the workplace.

“The problem had been that AOL missed patching [the flaw] the first time around, so obviously there's been concern…but the bigger story here is, why are your users using AIM to begin with?” he said. “AOL instant messenger really should be a consumer product.”

Share this article:

Sign up to our newsletters

More in News

Phishing campaign targeting users of Bitcoin wallet Blockchain.info

More than 12,000 messages have been sent to more than 400 companies as part of a phishing campaign targeting users of Bitcoin wallet Blockchain.info.

AOL announces that it does not follow 'Do Not Track' requests

Eight months after the enactment of a new California privacy law, AOL clarified that it does not respond to web browsers' "Do Not Track" requests.

Experts discover history of malware infections on network of Community Health Systems

Following a major breach at the hospital provider, security experts analyzed its network and discovered malware infections dating back to January.