AOL finally patches AIM worm hole

Summary:America Online has finally shipped a patch for a gaping worm hole that exposed Windows computers to code execution attacks without any user action.

AOL finally patches AIM worm holeAmerica Online has finally shipped a patch for a gaping worm hole that exposed Windows computers to code execution attacks without any user action.

The vulnerability has been patched with AIM 6.5 but, inexplicably, AOL has not seen it fit to issue an advisory -- or changelog -- to warn its millions of customers.

Aviv Raff, an Israeli security researcher who has been tracking this issue closely, has tested AIM 6.5 against the known HTML and JavaScript injection vulnerabilities and confirmed that the software was no longer vulnerable.

[SEE: Despite AOL’s claim, AIM worm hole still wide open ]

However, while it does fix the specific attack vector of the vulnerability, Raff pointed out that it still does not utilize the Local Zone lockdown.

This means that if someone will found another way to inject a script to a message, it will still be possible to execute arbitrary code from remote.

I've decided to postpone the release of my proof-of-concept, at least until AOL will fix their client properly. This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm.

AOL users still running the standalone AIM software should apply this patch immediately.

(AOL aol america online. Image by Maulleigh. CC 2.0)

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.