America Online continues to have problems securing its widely deployed AIM instant messaging service.
According to Ryan Singel at Wired News, AOL shipped a silent, server-level patch on Monday night to fix a gaping hole that allowed hackers to gain complete control of any PC running the latest version of AIM.
"It's a pretty big hole. You don't even have to click anything," says Michael Evanchik, the researcher who discovered the flaw.
America Online has spent the last few months struggling to issue a comprehensive fix for a similar bug that exposed fully patched versions of AIM to a nasty worm attack.
In September, researcher Aviv Raff demonstrated the issue for me by launching the calculator application via a sent message (see screenshot below).
At the time, AOL claimed the issue was fixed but Raff says a minor tweak of the exploit bypassed AOL's server-side filtering.
From Singel's Wired piece:
The AIM 6.5 client remains vulnerable to the same fundamental weakness, potentially allowing malicious hackers to create a worm that infects thousands of users in a matter of hours.
"Instead of locking down the AIM client, they add filters in the server," says Aviv Raff, the security researcher who reported the original remote exploit in September, and who analyzed the newest attack for Wired News. "Filtering in the server will never be enough. It's like a cat and mouse game."