TECH.BLORGE.com
VISTA.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

September 26, 2007 |

Security firm warns of AIM vulnerability risk

By Ruben Francia





Security firm warns of AIM vulnerability riskCore Security Technologies has issued an advisory about the existence of a security hole in AOL’s instant-messaging program which could allow hackers to gain control over a victim’s computer.

“Specifically, an attacker could remotely execute code on a user’s computer and exploit Internet Explorer bugs without user interaction,” Iván Arce, Core’s chief technology officer told P2Pnet.

The security hole arose because some versions of IM clients are enabling full access to all of the Internet Explorer’s functions, including its ability to carry out programming commands and direct a computer to Web sites when it needs to render pictographic “emoticons”. Thereby an attacker could directly control a victim’s computer by embedding certain commands for IE in an IM session.

The critical flaw was discovered by security researchers at Core Security Technologies last month, but the security firm said that efforts to repair the problem haven’t gone far enough.

AOL contends the problem has been fixed. AOL spokeswoman Erin Gifford told AP that her company has resolved the issues raised by Core Security. AOL’s servers are now filtering instant messaging traffic to intercept any attacks. AIM users should consider themselves “completely safe,” Gifford said.

But experts argue that filtering mechanism doesn’t eliminate the security hole. Arce said the vulnerability can still be manipulated.

“That filtering mechanism, it doesn’t remove the bug from the IM client. It just prevents people from exploiting it. If someone finds a way to bypass the filter, the problem still exists,” he said. The filtering approach also wouldn’t save AIM users who “direct connect” with other IMers to share files, a process that skips AOL servers.

The flaw exists in AIM 6.1 and 6.2 beta, AIM Pro and AIM Lite. The problem, however, does not crop up in AIM 5.9 version, AIM 6.5 or Web-based AIM Express.

Arce advise users to stay away from using the affected versions until the arrival of a patch.

Related:

  • Security headaches for Excel users as Microsoft warns of zero-day attack
  • Critical flaw in Firefox and IE allows password theft
  • Macrovision plugs DRM software flaw to stop attacks on Microsoft Windows
  • iPhone’s popularity is Mac OS X security risk
  • Mobile spying firm denies F-Secure data leak vulnerability claims




    • Sign up for the BLORGE daily email newsletter

    Entry was posted on Wednesday, September 26th, 2007 at 9:49 pm under Security.

    Read more entries by Ruben Francia.
    StumbleUpon Toolbar Stumble It!

    One Response to “Security firm warns of AIM vulnerability risk”

    1. liana laguna:
      September 27th, 2007

      i need a song by Akon Ft Ludacris Diddy Lil Jon – Get Buck In Here …

    Leave a Reply:

    Copyright © 2008 Engaging and compelling blogs that entertain and inform