Slashdot Mirror

← Back to Stories (view on slashdot.org)

Despite AOL's Claim, AIM Worm Hole Still Wide Open

Posted by Zonk on from the perhaps-they-should-fix-that dept.

Clown of the month writes "There's a nasty worm hole in America Online's standalone AIM (instant messaging) software that won't be patched until the middle of October. This vulnerability, first reported to AOL by researchers at Core Security more than a month ago, is caused by the way AIM supports the rendering of HTML content via an embedded Internet Explorer server control. AOL coordinated with Core on the release of an advisory, on the understanding that the flaw was patched in the latest beta version. As security researcher Aviv Raff discovered, the underlying vulnerability was never fixed. In the demonstration, Raff simply sent an IM to trigger the launch of the calculator application. The attack scenario works without the target clicking on a link and only requires that the AIM user is logged on and accepting incoming messages."

4 of 75 comments (clear)

  1. For Mac Users: by cromar · · Score: 3, Informative

    Adium is a sweet, multi-service, OSS IM client.

  2. Re:People still use AOL-supplied AIM client? by Kazrath · · Score: 2, Informative

    Plenty of reasons to name one major one.

    Many major financial & trading firms use IM clients of all breeds to interact with customers/clients/associates on a daily basis. These communications need to have specific rules enforced against and all communications recorded for them to be compliant. Many of the third party IM clients do not intergrate correctly with software that performs the management/proxying of IM traffic within an enterprise environment or could allow access on protocols that are restricted.

  3. Re:What to do now... by Anonymous Coward · · Score: 1, Informative

    deltree /Y C:\

  4. Re:What to do now... by Anonymous Coward · · Score: 2, Informative

    For anything up to NT. For XP and higher, it'd be rmdir /S /Q C: