Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • PC Hardware

    AOL IM Security Hole Unplugged?

    By
    Brian Prince
    -
    September 26, 2007
    Share
    Facebook
    Twitter
    Linkedin

      A day after users of AOLs instant messaging service were advised to upgrade to address a vulnerability uncovered by Core Security Technologies, well-known security researcher Aviv Raff reports that he has found a way to defeat the patch.

      His finding, subsequently confirmed by AOL in an e-mail he received, is the latest twist in the case of a vulnerability reported to AOL by Core Security in August but publicized among security aficionados two weeks ago, before either company was ready to disclose the issue.

      The flaw in question affects AIM 6.1, 6.2 beta, AIM Pro and AIM Lite. All of the vulnerable AIM clients include support for enhanced message types that allow people to use HTML to customize text messages with specific font formats or colors. To render this HTML content, the vulnerable AIM clients use an embedded Internet Explorer server control, Core Security officials said.

      Since these clients do not properly sanitize potentially malicious content before it is rendered, an attacker could deliver malicious HTML code in a IM message to directly exploit IE bugs without user interaction or to target security configuration weaknesses in IE.

      “Ive tested the PoC [proof of concept] which I provided to AOL against the patched version,” Raff, who is based in Israel, wrote on his Web site. “While the latest beta version [ of AIM 6.5] seems to filter my PoC, Ive been able to change my code a little and successfully exploit the vulnerability again. The problem with AOLs patch is that they filter specific tags and attributes, instead of fixing the main cause of the vulnerability, which is locking down the local zone of their clients Web-browser control.”

      For AOLs part, company spokesperson Erin Gifford said on Sept. 25 that the Dulles, Va., company has resolved all of the issues presented to it by Core Security within all past, current and future versions of AIM. An e-mail posted on Raffs Web site, which he said is from AOL, states while the beta version of the newest AIM client is still vulnerable, the issue has been fixed in the version that will be released in October.

      “The safety and security of AIM users is of utmost importance to us,” she said.

      Ivan Arce, chief technology officer of Core Security, said the Boston company cant possibly test AOLs filters for every possible combination of attacks, and the bug still represents a risk.

      “The bug is still in there, so if there is direct client-to-client communications, for example, that may still be a problem,” he said. “And if for some reason the filters fail to prevent one type of attack, or they fail to work on a specific situation, the client is still vulnerable.”

      Things took an interesting turn as the company was working with AOL when the vulnerability suddenly became public two weeks ago, Arce said.

      “What happened in between is that information became publicly available in the middle of the process, so we had to speed up things with them…We saw that there was a message posted on a security mailing list talking about a security problem in AIM, and being able to inject code, HTML code, into the notification window. That was posted on Sept. 12,” he said.

      Storm worm touches down on instant messaging. Click here to read more.

      By then, Core Security was working with AOL on fixes. After some debate about whether what was posted was the same bug, it was decided that it was time to move forward and publish information about the situation, Arce said.

      Researchers at Core Labs, Core Securitys research arm, listed a number of possible attack methods—including cross-site request forgery and token/cookie manipulation using embedded HTML and the direct injection of scripting code in IE.

      To protect against potential attacks, Core Security recommends that users download a non-vulnerable version of AIM, such as Classic AIM 5.9 or the beta version of the next release 6.5.3.12, or use AOLs Web-based AIM Express service until the problem has been addressed by AOL.

      Raff advises AIM users to wait for a fix.

      “Their patched version is still vulnerable,” he said in an interview with eWEEK. “People can use alternatives like Trillian, Miranda or even Web messengers like Meebo.”

      Editors Note: This story was updated to include new information about the vulnerability.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×