AOL IM Security Hole Unplugged?

Updated: Researcher Aviv Raff said he has found a way to defeat the patch that AOL issued to address an IM vulnerability.

A day after users of AOLs instant messaging service were advised to upgrade to address a vulnerability uncovered by Core Security Technologies, well-known security researcher Aviv Raff reports that he has found a way to defeat the patch.

His finding, subsequently confirmed by AOL in an e-mail he received, is the latest twist in the case of a vulnerability reported to AOL by Core Security in August but publicized among security aficionados two weeks ago, before either company was ready to disclose the issue.

The flaw in question affects AIM 6.1, 6.2 beta, AIM Pro and AIM Lite. All of the vulnerable AIM clients include support for enhanced message types that allow people to use HTML to customize text messages with specific font formats or colors. To render this HTML content, the vulnerable AIM clients use an embedded Internet Explorer server control, Core Security officials said.

Since these clients do not properly sanitize potentially malicious content before it is rendered, an attacker could deliver malicious HTML code in a IM message to directly exploit IE bugs without user interaction or to target security configuration weaknesses in IE.

"Ive tested the PoC [proof of concept] which I provided to AOL against the patched version," Raff, who is based in Israel, wrote on his Web site. "While the latest beta version [ of AIM 6.5] seems to filter my PoC, Ive been able to change my code a little and successfully exploit the vulnerability again. The problem with AOLs patch is that they filter specific tags and attributes, instead of fixing the main cause of the vulnerability, which is locking down the local zone of their clients Web-browser control."

For AOLs part, company spokesperson Erin Gifford said on Sept. 25 that the Dulles, Va., company has resolved all of the issues presented to it by Core Security within all past, current and future versions of AIM. An e-mail posted on Raffs Web site, which he said is from AOL, states while the beta version of the newest AIM client is still vulnerable, the issue has been fixed in the version that will be released in October.

"The safety and security of AIM users is of utmost importance to us," she said.

Ivan Arce, chief technology officer of Core Security, said the Boston company cant possibly test AOLs filters for every possible combination of attacks, and the bug still represents a risk.

"The bug is still in there, so if there is direct client-to-client communications, for example, that may still be a problem," he said. "And if for some reason the filters fail to prevent one type of attack, or they fail to work on a specific situation, the client is still vulnerable."

Things took an interesting turn as the company was working with AOL when the vulnerability suddenly became public two weeks ago, Arce said.

"What happened in between is that information became publicly available in the middle of the process, so we had to speed up things with them…We saw that there was a message posted on a security mailing list talking about a security problem in AIM, and being able to inject code, HTML code, into the notification window. That was posted on Sept. 12," he said.


Storm worm touches down on instant messaging. Click here to read more.

By then, Core Security was working with AOL on fixes. After some debate about whether what was posted was the same bug, it was decided that it was time to move forward and publish information about the situation, Arce said.

Researchers at Core Labs, Core Securitys research arm, listed a number of possible attack methods—including cross-site request forgery and token/cookie manipulation using embedded HTML and the direct injection of scripting code in IE.

To protect against potential attacks, Core Security recommends that users download a non-vulnerable version of AIM, such as Classic AIM 5.9 or the beta version of the next release, or use AOLs Web-based AIM Express service until the problem has been addressed by AOL.

Raff advises AIM users to wait for a fix.

"Their patched version is still vulnerable," he said in an interview with eWEEK. "People can use alternatives like Trillian, Miranda or even Web messengers like Meebo."

Editors Note: This story was updated to include new information about the vulnerability.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.