America Online has finally shipped a patch for a gaping worm hole that exposed Windows computers to code execution attacks without any user action.
The vulnerability has been patched with AIM 6.5 but, inexplicably, AOL has not seen it fit to issue an advisory -- or changelog -- to warn its millions of customers.
However, while it does fix the specific attack vector of the vulnerability, Raff pointed out that it still does not utilize the Local Zone lockdown.
This means that if someone will found another way to inject a script to a message, it will still be possible to execute arbitrary code from remote.
I've decided to postpone the release of my proof-of-concept, at least until AOL will fix their client properly. This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm.
AOL users still running the standalone AIM software should apply this patch immediately.