AOL finally patches AIM worm hole

AOL finally patches AIM worm hole

Summary: America Online has finally shipped a patch for a gaping worm hole that exposed Windows computers to code execution attacks without any user action.

SHARE:
TOPICS: Security
1

AOL finally patches AIM worm holeAmerica Online has finally shipped a patch for a gaping worm hole that exposed Windows computers to code execution attacks without any user action.

The vulnerability has been patched with AIM 6.5 but, inexplicably, AOL has not seen it fit to issue an advisory -- or changelog -- to warn its millions of customers.

Aviv Raff, an Israeli security researcher who has been tracking this issue closely, has tested AIM 6.5 against the known HTML and JavaScript injection vulnerabilities and confirmed that the software was no longer vulnerable.

[SEE: Despite AOL’s claim, AIM worm hole still wide open ]

However, while it does fix the specific attack vector of the vulnerability, Raff pointed out that it still does not utilize the Local Zone lockdown.

This means that if someone will found another way to inject a script to a message, it will still be possible to execute arbitrary code from remote.

I've decided to postpone the release of my proof-of-concept, at least until AOL will fix their client properly. This is mainly because it will probably not be so hard to manipulate the PoC and find another way to inject a script, and there's a short way from this to creating a massive IM worm.

AOL users still running the standalone AIM software should apply this patch immediately.

(AOL aol america online. Image by Maulleigh. CC 2.0)

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Typical AOL product support

    Their belated so-called patch appears just about as useless as the rest of their bloated, resource-wasting software...too little, too late, and just barely enough to say they "fixed" it...
    jaybyrd