AOL finally patches AIM worm hole

America Online has finally shipped a patch for a gaping worm hole that exposed Windows computers to code execution attacks without any user action.

The vulnerability has been patched with AIM 6.5 but, inexplicably, AOL has not seen it fit to issue an advisory -- or changelog -- to warn its millions of customers.

Aviv Raff, an Israeli security researcher who has been tracking this issue closely, has tested AIM 6.5 against the known HTML and JavaScript injection vulnerabilities and confirmed that the software was no longer vulnerable.

[SEE: Despite AOL’s claim, AIM worm hole still wide open ]

However, while it does fix the specific attack vector of the vulnerability, Raff pointed out that it still does not utilize the Local Zone lockdown.

This means that if someone will found another way to inject a script to a message, it will still be possible to execute arbitrary code from remote.

I've decided to postpone the release of my proof-of-concept, at least until AOL will fix their client properly. This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm.

AOL users still running the standalone AIM software should apply this patch immediately.

(AOL aol america online. Image by Maulleigh. CC 2.0)