IM flaw hits millions of AOL users

A newly discovered flaw affects AIM 6.1, 6.2 beta, AIM Pro and AIM Lite

Enterprise security firm Core Security Technologies has disclosed a vulnerability that could affect millions of AOL Instant Messenger users.

Attackers exploiting the vulnerability could remotely execute code on a user's machine, and exploit Internet Explorer bugs without user interaction.

Core Security has informed AOL of the problem, but warned that details of the flaw have already appeared on several bug-tracking sites.

"This vulnerability poses a significant security risk to millions of AIM users," said Iván Arce, chief technology officer at Core Security.

"We have alerted AOL to this threat and provided full technical details, but the vulnerability has emerged on several public bug-tracking websites.

"Therefore, we believe it is necessary to bring precise details about this issue to light immediately, so that AIM users and organisations can be made aware of the threat, assess their risk and take appropriate measures."

The flaw in AIM 6.1, 6.2 beta, AIM Pro and AIM Lite exposes workstations running these IM clients and their users to several immediate high-risk attacks.

All of the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML to customise text messages with specific font formats or colours.

The vulnerable AIM clients use an embedded Internet Explorer server control to render this HTML content.

However, as this input is not checked before it is rendered, an attacker could deliver malicious HTML code as part of an instant message to directly exploit Internet Explorer bugs without user interaction.

AOL has acknowledged the problem and has urged users to upgrade to the latest version of the AIM beta client or use its web-based AIM Express service until the problem has been addressed.