Researcher Aviv Raff said Sunday on his blog that AOL has patched the flaw, but attackers will find other holes in the instant messaging (IM) platform.
Raff did not release proof-of-concept (PoC) code for the flaw, saying he would refrain “until AOL will fix their client properly.”
“This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm,” he said.
An AOL spokesperson said today that the Dulles, Va.-web giant fixed all known AIM security issues when it issued version 6.5.
Ivan Arce, CoreSecurity CTO, told SCMagazineUS.com today that if enterprise employees must use AIM, they should use a less vulnerable version, a compatible IM platform from a third-party vendor, or implement workarounds calling for local machine zone lockdown.
“What they did in [version] 6.5 is patch the specific [issue] that was found,” he said. “However, their AIM client remains weak in terms of the design.”
Researchers have often warned that IM is gaining popularity as an attack vector. Akonix has tallied 297 malicious code attacks for the first nine months of this year.
Graham Cluley, senior technology consultant at Sophos, told SCMagazineUS.com today that the flaw should be a wakeup call to system administrators about the use of IM in the workplace.
“The problem had been that AOL missed patching [the flaw] the first time around, so obviously there's been concern…but the bigger story here is, why are your users using AIM to begin with?” he said. “AOL instant messenger really should be a consumer product.”