Researchers: AIM Vulnerable to Worm Attack

Wed, September 26, 2007 — IDG News Service (San Francisco Bureau) — A critical flaw in the way that the AOL's instant messaging client displays Web-based graphics could be exploited by criminals to create a self-copying worm attack, security researchers are warning.

The flaw was discovered by researchers at Core Security Technologies, which has been working with AOL over the past few weeks to patch the problem. AOL's servers are now filtering instant messaging traffic to intercept any attacks, but the company has yet to patch the underlying problem in its client software, security researchers said Tuesday.

The flaw has to do with the way the AOL Instant Messaging (AIM) software uses Internet Explorer's software to render HTML (Hypertext Markup Language) messages. By sending a maliciously encoded HTML message to an AIM user, an attacker could run unauthorized software on a victim's computer or force the IE browser to visit a maliciously encoded Web page, said Core Chief Technology Officer Ivan Arce.

This type of flaw could be exploited to create a self-replicating worm attack, according to both Core's Arce and Aviv Raff, a security researcher who on Tuesday reported that he'd discovered a related flaw in AIM. "The frightening thing about this vulnerability is that it can be easily exploited to create a massive IM worm, because it doesn't require any user interaction," Raff said via instant message.

No attacks based on these flaws have been reported.

Computer worms were front page news in 2003 and 2004 when Blaster, Sobig, and Sasser gummed up PCs around the world. And while Web-based worms have been in the news, a widespread instant messaging worm would be something new.

Arce says that the safest thing is for AIM users to either upgrade to the 6.5 beta code or to downgrade to a 5.9 version of the software, which does not support the HTML rendering capability.

But Raff offered different advice, saying that AIM 6.5 is still vulnerable to the flaw he discovered. According to him the best thing would be for AOL to "fix the underlying code," although AIM 5.9 is "probably not vulnerable to this specific vulnerability," he said.

AOL may not be planning to fix its AIM code any time soon, according to a statement provided by the company late Tuesday. "We have resolved all of the issues presented to us by Core Security within all past, current and future versions of AIM," AOL said without commenting on Raff's findings.

Users should still be concerned, however. Core's Arce said that he was worried that hackers could find ways around AOL's filters. What AOL has done is "just one portion of the solution and that's not the most effective portion," he said. "The most effective solution is to run a client that doesn't have the problem."
Loading...
Security MarketSpace
White Papers
Cost Effective Data Loss Prevention
Learn how Data Loss Prevention technologies can in fact be deployed in a cost effective manner. Learn more »
Data Loss Prevention and Enterprise Rights Management
Enterprise Management Associates highlights the complementary values of Data Loss Prevention and Enterprise Rights Management as a strategic approach to information risk control. Learn more »
Eliminate the Impact of Distance
Learn how to be prepared to adapt your environment in a way that supports distributed employees, anytime anywhere collaboration and the need for business continuity during a disaster. Learn more »
Webcasts
Why Data Loss is Increasing--and What You Can Do About It
Maximizing the Business Value of the PC Infrastructure
Reduced IT budgets have CIOs hunting for ways to maximize their PC infrastructure, while saving money and IT staff time. Diane Bryant, CIO of Intel Corp., talks with CIO magazine's Gary Beach about how her organization is addressing these challenges. Learn more »
Accelerate Your Virtual Environment
 Rapid Replication for Virtual Servers Learn more »
 
SPONSORED LINKS
 

Data Loss Prevention: A Better Way to Approach Security

Software Executives: Take Control of Your Organization's Code Quality

Delivering Secure and Reliable Data through Spreadsheet Automation

Taking the Service Desk to the Next Level

Why Data Loss is Increasing--and What You Can Do About It

Communications and Collaboration Needs at Business Organizations

Using Open Source to Deploy Web Applications

Mid-Sized Company CIO Community: infoBOOM!

Enterprise PBX Comparison Guide

Getting Value from Outdated Networking Equipment

Accenture IT Consulting: Logical meets technological. More . . .

White Paper: 8 Key Ingredients to Building an Internal Cloud

Read about virtualization and consolidation effort best practices

Building the Virtualized Enterprise with VMware Infrastructure

Top 10 Business and IT Drivers for the Wealth Management Sector

Bottom-Line Benefits of Virtualization

White Paper: The Building Blocks for Cloud Computing

Oracle's Application Grid Technical Demo

Next-Generation Application Servers and Infrastructure

Application Infrastructure at Enterprise Organizations

Achieving Business Agility with Application Grid

Learn about The Information Technology Infrastructure Library.

Achieving Pervasive Performance Management

Gartner Shares Predictions for 2009

Accenture IT Consulting: Enabling high performance. More...

Stop Application Fraud at the Source with Device Reputation

Ready to Act: 3 Recommendations for Agile Processes

Automating the Generation and Secure Distribution of Excel Reports

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Learn how to managing client systems in the enterprise.

Cloud Computing: Read about VMware's compelling vision & set of products

Enterprise PBX Buyer's Guide

Secondary Market Primer: Your Network at Half Price

Top-line Performance that's Bottom-line Efficient

Accenture: Outsourcing for uncertain times. Click to learn more.

Learn about the VMware vSphere (TM) & Intel (R) Xeon (R) Processor 5500 Series

Learn how a virtualized enterprise can help your company reduce costs

Why Isn't Server Virtualization Saving Us More?

8 Key Ingredients to Building an Internal Cloud

Data Center Optimization: Three Key Strategies

A CIO Executive Guide: Cloud Computing Looms Big on the Horizon

Oracle WebLogic Server Technical Demo

Data Grids and Service-Oriented Architecture

Achieving the Impossible: Unlimited Application Scalability

A Middleware Foundation for Application Grid

Tips for successful virtualization management.

Smart Decisions: The Role of Key Performance Indicators

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords