Serious Security Hole Discovered in AIM

[Jeff]

Researchers at Core Security Technologies have issued an advisory disclosing a vulnerability that could severely impact millions of registered AOL Instant Messenger (AIM) users. By exploiting this vulnerability, an attacker could remotely execute code on a user's computer and exploit Internet Explorer bugs without permission or interaction from the user.

"This vulnerability poses a significant security risk to millions of AIM users." said Iván Arce, CTO at Core Security Technologies. "Core Security has alerted AOL to this threat and has provided full technical details about the vulnerability so that they can address it in their products. Since we notified AOL, this vulnerability has emerged on several public bug-tracking websites. Therefore, we believe it is necessary to bring precise details about this issue to light immediately, so that AIM users and organizations using AIM can be made aware of the threat, assess their risk, and take the appropriate measures to ensure that they are protected."

The security flaw affects AIM 6.1, AIM Lite, AIM Pro and AIM 6.2 Beta. BigBlueBall recommends that you either downgrade to an non-vulnerable version (AIM 5.9) or upgrade to the latest beta (AIM 6.5). As an alternative, you can also use the web-based AIM Express, or a third-party web client such as Meebo.

[Jeff]

UPDATE

In a response e-mailed to InformationWeek, an AOL spokesman said its technicians are working on the problem.

"The safety and security of AIM users is of utmost importance to us," she wrote. "To that end, we quickly take the necessary steps to block malicious content from reaching our users. We have addressed the issues that Core Security has brought to us on the server side. We are comfortable with the server side fixes we have in place, but we are also working on a client fix."